Use Dpapi with Shared Asp.Net Web Host?

Discussion in 'ASP .Net Security' started by Dominick Baier [DevelopMentor], Jan 24, 2005.

  1. i wrote a couple of DPAPI tools (extended the ms impl, a command line tool .. and a ASP.NET frontend) - just upload the single aspx file to the server and you can encrypt whatever strings you like with DPAPI...don't forget to secure that page (or better delete it when you are finished)

    download:
    http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f



    ---
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>

    Hi.

    I'd like to use an encrypted database connection string. I'd also like use
    an encrypted set of customer tables with a symmetric algorithm (and a secure
    symmetric key) generated by .Net in my sql server database from asp.net
    code stored on a shared host asp.net server.

    I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
    code posted on msdn. The dpapi should enable me to encrypt the connection
    string, but the portion of the code that calls the encryption class and
    encrypts a given string is a console application.

    The article accompanying the code states: "Note that you'll need to run the
    console application on the IIS server to generate the encrypted
    base-64-encoded string. this is because the EncryptString function
    instructs the DPAPI to use the machine-wide key, so the encryption and
    ecryption will be valid only on the same machine.

    Since this is on a shared host thousands of miles away, and I don't belive
    I can run any local console code on it,
    does this mean I'm sunk????

    Basically I need some secure way of storing my encrypted connection string
    and storing
    my symmetric encryption key. I know how to write the code to use the keys
    and algorithms to encrypt and decrypt things.

    I suppose I could hide bits and pieces of the each key
    in different places in the code or database and append them together by
    hardcoding, but
    I believe that that could be discovered???? by dissassembling my code unless
    I use a professional obfuscator???.

    HELP!

    --Insecure in Boston, MA
    -->GO PATRIOTS!!!!!!!!!!!!!!!



    [microsoft.public.dotnet.framework.aspnet.security]
     
    Dominick Baier [DevelopMentor], Jan 24, 2005
    #1
    1. Advertising

  2. Dominick Baier [DevelopMentor]

    Phil C. Guest

    Thanks Dominick,

    I think this ties in with Svein's last reply regarding creating a dll.
    I will download it and try it.

    Finding some answers to this question was difficult as I googled
    considerably and looked
    at a lot of .Net forums, but for some reason no one else seems to have
    needed to document the answers.

    Phil

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    >i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
    >.. and a ASP.NET frontend) - just upload the single aspx file to the server
    >and you can encrypt whatever strings you like with DPAPI...don't forget to
    >secure that page (or better delete it when you are finished)
    >
    > download:
    > http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f
    >
    >
    >
    > ---
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >
    > nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>
    >
    > Hi.
    >
    > I'd like to use an encrypted database connection string. I'd also like use
    > an encrypted set of customer tables with a symmetric algorithm (and a
    > secure
    > symmetric key) generated by .Net in my sql server database from asp.net
    > code stored on a shared host asp.net server.
    >
    > I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
    > code posted on msdn. The dpapi should enable me to encrypt the connection
    > string, but the portion of the code that calls the encryption class and
    > encrypts a given string is a console application.
    >
    > The article accompanying the code states: "Note that you'll need to run
    > the
    > console application on the IIS server to generate the encrypted
    > base-64-encoded string. this is because the EncryptString function
    > instructs the DPAPI to use the machine-wide key, so the encryption and
    > ecryption will be valid only on the same machine.
    >
    > Since this is on a shared host thousands of miles away, and I don't belive
    > I can run any local console code on it,
    > does this mean I'm sunk????
    >
    > Basically I need some secure way of storing my encrypted connection string
    > and storing
    > my symmetric encryption key. I know how to write the code to use the keys
    > and algorithms to encrypt and decrypt things.
    >
    > I suppose I could hide bits and pieces of the each key
    > in different places in the code or database and append them together by
    > hardcoding, but
    > I believe that that could be discovered???? by dissassembling my code
    > unless
    > I use a professional obfuscator???.
    >
    > HELP!
    >
    > --Insecure in Boston, MA
    > -->GO PATRIOTS!!!!!!!!!!!!!!!
    >
    >
    >
    > [microsoft.public.dotnet.framework.aspnet.security]
     
    Phil C., Jan 24, 2005
    #2
    1. Advertising

  3. Dominick Baier [DevelopMentor]

    Phil C. Guest

    Problems with Dpapi Tools zip download link

    Dominick,

    The download link for your dpapi tools is not functional.
    Could you please check the site and your zip file?

    Thanks,

    Phil



    "Phil C." <> wrote in message
    news:%...
    > Thanks Dominick,
    >
    > I think this ties in with Svein's last reply regarding creating a dll.
    > I will download it and try it.
    >
    > Finding some answers to this question was difficult as I googled
    > considerably and looked
    > at a lot of .Net forums, but for some reason no one else seems to have
    > needed to document the answers.
    >
    > Phil
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >>i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
    >>.. and a ASP.NET frontend) - just upload the single aspx file to the
    >>server and you can encrypt whatever strings you like with DPAPI...don't
    >>forget to secure that page (or better delete it when you are finished)
    >>
    >> download:
    >> http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f
    >>
    >>
    >>
    >> ---
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>
    >> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>
    >>
    >> Hi.
    >>
    >> I'd like to use an encrypted database connection string. I'd also like
    >> use
    >> an encrypted set of customer tables with a symmetric algorithm (and a
    >> secure
    >> symmetric key) generated by .Net in my sql server database from asp.net
    >> code stored on a shared host asp.net server.
    >>
    >> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
    >> code posted on msdn. The dpapi should enable me to encrypt the connection
    >> string, but the portion of the code that calls the encryption class and
    >> encrypts a given string is a console application.
    >>
    >> The article accompanying the code states: "Note that you'll need to run
    >> the
    >> console application on the IIS server to generate the encrypted
    >> base-64-encoded string. this is because the EncryptString function
    >> instructs the DPAPI to use the machine-wide key, so the encryption and
    >> ecryption will be valid only on the same machine.
    >>
    >> Since this is on a shared host thousands of miles away, and I don't
    >> belive
    >> I can run any local console code on it,
    >> does this mean I'm sunk????
    >>
    >> Basically I need some secure way of storing my encrypted connection
    >> string
    >> and storing
    >> my symmetric encryption key. I know how to write the code to use the keys
    >> and algorithms to encrypt and decrypt things.
    >>
    >> I suppose I could hide bits and pieces of the each key
    >> in different places in the code or database and append them together by
    >> hardcoding, but
    >> I believe that that could be discovered???? by dissassembling my code
    >> unless
    >> I use a professional obfuscator???.
    >>
    >> HELP!
    >>
    >> --Insecure in Boston, MA
    >> -->GO PATRIOTS!!!!!!!!!!!!!!!
    >>
    >>
    >>
    >> [microsoft.public.dotnet.framework.aspnet.security]

    >
    >
     
    Phil C., Jan 24, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. multiplex77
    Replies:
    0
    Views:
    622
    multiplex77
    Jan 30, 2007
  2. BigLuzer
    Replies:
    1
    Views:
    1,485
    Cowboy \(Gregory A. Beamer\)
    Nov 21, 2006
  3. Phil C.

    Use Dpapi with Shared Asp.Net Web Host?

    Phil C., Jan 24, 2005, in forum: ASP .Net Security
    Replies:
    4
    Views:
    174
    Phil C.
    Jan 24, 2005
  4. Replies:
    0
    Views:
    967
  5. Berry at JSO
    Replies:
    1
    Views:
    761
    Dominick Baier [DevelopMentor]
    May 20, 2006
Loading...

Share This Page