Encrypt and decrypt connectionstrings in web.config

Discussion in 'ASP .Net Security' started by DavidE, Jul 18, 2007.

  1. DavidE

    DavidE Guest

    Hi,

    I use the code below to encypt and decrypt connectionstrings in the
    web.config files.
    It works good but I don't understand somthing about the decryption. An
    hacker that gain the web.config file with the encrypted data, can copy it to
    a new web site that he created and use this line of code
    section.SectionInformation.UnprotectSection() and so get the connectionstring
    in plain text .I tried it. I copyed the web config to a new web site and then
    used this line of code and I got the original connectionstring. !!!!
    Am I right ? If I am, It is not a security solution.


    public void EncryptConnString()
    {
    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection section = config.GetSection("connectionStrings");
    if (!section.SectionInformation.IsProtected)
    {

    section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
    config.Save();
    }
    }


    public void DecryptConnString()
    {
    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection section = config.GetSection("connectionStrings");
    if (section.SectionInformation.IsProtected)
    {
    section.SectionInformation.UnprotectSection();
    config.Save();
    }
    }


    Thanks,

    David
    DavidE, Jul 18, 2007
    #1
    1. Advertising

  2. openwebconfiguration(request.filepath)

    hi David
    i have seen you your post and you said it works good. but i am also same thing as you do but it fails for me.
    actually i am using another config file and it has connectionstrings section to be encrypted. so i want to know what should be the virtual path to be given.

    my project name is masterpages and file name is commonconnstring.config. can you tell me what would the virtual path for this file.

    here is my code

    Private Sub EncryptConnString()

    Dim config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath & "/commonconnstring.config")

    Dim section = config.GetSection("connectionstrings")



    If (Not section.SectionInformation.IsProtected) Then
    section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
    config.Save()



    End If

    End Sub


    i appreciate for your reply

    thank you



    David wrote:

    Encrypt and decrypt connectionstrings in web.config
    18-Jul-07

    Hi

    I use the code below to encypt and decrypt connectionstrings in the
    web.config files
    It works good but I don't understand somthing about the decryption. An
    hacker that gain the web.config file with the encrypted data, can copy it to
    a new web site that he created and use this line of code
    section.SectionInformation.UnprotectSection() and so get the connectionstring
    in plain text .I tried it. I copyed the web config to a new web site and then
    used this line of code and I got the original connectionstring. !!!
    Am I right ? If I am, It is not a security solution

    public void EncryptConnString(

    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    ConfigurationSection section = config.GetSection("connectionStrings")
    if (!section.SectionInformation.IsProtected


    section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
    config.Save()



    public void DecryptConnString(

    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    ConfigurationSection section = config.GetSection("connectionStrings")
    if (section.SectionInformation.IsProtected

    section.SectionInformation.UnprotectSection()
    config.Save()

    }


    Thanks

    David

    Previous Posts In This Thread:

    On Wednesday, July 18, 2007 8:04 AM
    David wrote:

    Encrypt and decrypt connectionstrings in web.config
    Hi

    I use the code below to encypt and decrypt connectionstrings in the
    web.config files
    It works good but I don't understand somthing about the decryption. An
    hacker that gain the web.config file with the encrypted data, can copy it to
    a new web site that he created and use this line of code
    section.SectionInformation.UnprotectSection() and so get the connectionstring
    in plain text .I tried it. I copyed the web config to a new web site and then
    used this line of code and I got the original connectionstring. !!!
    Am I right ? If I am, It is not a security solution

    public void EncryptConnString(

    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    ConfigurationSection section = config.GetSection("connectionStrings")
    if (!section.SectionInformation.IsProtected


    section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
    config.Save()



    public void DecryptConnString(

    Configuration config =
    WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    ConfigurationSection section = config.GetSection("connectionStrings")
    if (section.SectionInformation.IsProtected

    section.SectionInformation.UnprotectSection()
    config.Save()

    }


    Thanks

    David


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    C# And The Little Iterator That Could
    http://www.eggheadcafe.com/tutorial...32-0ae26adaa533/c-and-the-little-iterato.aspx
    venkat athota, May 4, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Y2hha3M3?=

    appSettings and connectionStrings in CONFIG files v2.0

    =?Utf-8?B?Y2hha3M3?=, Apr 21, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    392
    =?Utf-8?B?Y2hha3M3?=
    Apr 21, 2006
  2. sweety
    Replies:
    9
    Views:
    1,022
    Richard Heathfield
    Feb 7, 2006
  3. Replies:
    2
    Views:
    431
  4. den 2005
    Replies:
    4
    Views:
    220
    den 2005
    Jul 26, 2006
  5. Replies:
    1
    Views:
    431
    Daniel Martin
    Jun 16, 2007
Loading...

Share This Page