Use Dpapi with Shared Asp.Net Web Host?

  • Thread starter Dominick Baier [DevelopMentor]
  • Start date
D

Dominick Baier [DevelopMentor]

i wrote a couple of DPAPI tools (extended the ms impl, a command line tool .. and a ASP.NET frontend) - just upload the single aspx file to the server and you can encrypt whatever strings you like with DPAPI...don't forget to secure that page (or better delete it when you are finished)

download:
http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!



[microsoft.public.dotnet.framework.aspnet.security]
 
P

Phil C.

Thanks Dominick,

I think this ties in with Svein's last reply regarding creating a dll.
I will download it and try it.

Finding some answers to this question was difficult as I googled
considerably and looked
at a lot of .Net forums, but for some reason no one else seems to have
needed to document the answers.

Phil
 
P

Phil C.

Dominick,

The download link for your dpapi tools is not functional.
Could you please check the site and your zip file?

Thanks,

Phil



Phil C. said:
Thanks Dominick,

I think this ties in with Svein's last reply regarding creating a dll.
I will download it and try it.

Finding some answers to this question was difficult as I googled
considerably and looked
at a lot of .Net forums, but for some reason no one else seems to have
needed to document the answers.

Phil

Dominick Baier said:
i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
.. and a ASP.NET frontend) - just upload the single aspx file to the
server and you can encrypt whatever strings you like with DPAPI...don't
forget to secure that page (or better delete it when you are finished)

download:
http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com


nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>

Hi.

I'd like to use an encrypted database connection string. I'd also like
use
an encrypted set of customer tables with a symmetric algorithm (and a
secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run
the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't
belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection
string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code
unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!



[microsoft.public.dotnet.framework.aspnet.security]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top