Use Dpapi with Shared Asp.Net Web Host?

[Phil C.]

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!

 

[Svein Terje Gaup]

If you need to write your own DPAPI library, this might help:
http://msdn.microsoft.com/security/...l=/library/en-us/dnnetsec/html/SecNetHT08.asp

DPAPI is only suitable for encrypting and decrypting stuff on the same
machine. If you need to decrypt on a different machine, DPAPI is useless.

This article explains how to encrypt and store the connection string in the
registry:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp

HTH,
Svein Terje Gaup

 

[Phil C.]

Thanks, Svein

Since the only directory I have access to on the web host server is a given
asp.net directory for my files, I seriously doubt I would for security
reasons be allowed to access the registry. Therefore, my alternatives do
not look good at all.

Phil

 

[Svein Terje Gaup]

I'm not sure if this would work, but I guess you could try using asymetric
encryption. You could then store your public key and the encrypted
connection string in the web.config file on the web server. To decrypt the
connection string and connect to the database, the user connects using SSL,
passing the private key (as a kind of password). You might then store the
private key in the users context during the session.

Ah... you probably can't connect using SSL either since you don't have
access to the server? Or can you?

You could also use DPAPI as you suggested, but you should not use a console
application, but rather encapsulate your DPAPI code in a DLL file, as
suggested in this MSDN article:
http://msdn.microsoft.com/security/...l=/library/en-us/dnnetsec/html/SecNetHT07.asp.

DPAPI consists of unmanaged code, so you will have to sign the component.
I'm not sure, however, if even signing will be enough to allow the component
to be used on the shared webserver. This depends on the ISP's CAS policy.

You can then make an application (one aspx file) that by using the DPAPI
library encrypts the connection string in web.config. After the encryption
has been done, for security reasons, you would have to remove the
application from the server, so no-one could use it to "double-encrypt" your
connection string.

Just a few thoughts...
Svein Terje Gaup

 

[Phil C.]

Thanks again Svein,

I will look at both options as well as talk to the web host company (if I
can find someone knowlegeable there).
I gather this means that most small companies rent standalone servers from
web hosts.
Either that or they have their own server at their own location.

Phil