web.config - encrypting details ASP .NET 1.1

S

Sal

Unfortunately our organisation isnt planning to migrate to .NET 2.0 for a
while and I need to tighten the security of the data
(usernames/pwd/connstrings) in our *.config files.
From the research I have done, a possible solution is to use DPAPI (Machine)
+ Isolated Storage. I was planning on creating a shared .dll to hold the
encrypting/decrypting DPAPI functions for thae various applications on the
server to reference in decrypting values in the *.config files, which would
then be stored in an Application Session variable on Application_Start
(Globals.asax). I was going to use Isolated Storage to store the Second
Entropy to be used as part of the encryption and store it (in encrypted
format). Yes, I know Isolated Storage is not to be used for storing secret
data, but the key is in cipher-text and its location is better than just
putting it in the code.

Has anyone employed something similar, or can offer an opinion?


TIA
 
D

Dominick Baier

Isolated storage may not behave as expected in ASP.NET

Since IIS6 does not load a user profile - all isolated storages will end
up in the AllUsers profile which again means you don't get a clean ACL separation.
Why not simply store the entropy in the registry (or even a file) and ACL
it using the individual worker process accounts.

If application separation is an issue for you - you should run all apps in
partial trust - this is the only effective way to separate applications on
a server
 
S

Sal

Thanks Dominick, will look into 'partial trust'.
In the one scenario I have set up to use DPAPI (machine) + Second Entropy
using Isolated Storage, the location that Isolated Storage uses is under the
computers name followed by 'ASPNET' - which I assume is the system user
responsable for running the website under.
I was hoping that this shared tool would also generate the second entropy
for each application and use Isolate Storage and store it according to the
application, but it looks like to do so you have to have the application
itself employ Isolated Storage, not the tool. The registry option is one I'll
look into.
Thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encrypting files in Ruby 1
Securing web.config appSettings - *** warning - long post *** 0
asp .net 1.1 + sql weird issue 0
DPAPI and config files 4
Different Serialization Technique In .NET 0
.NET 1.1 AND 2.0 2
How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)? 0
Win32 DPAPI - Drawbacks? 1

Members online

Total: 28 (members: 2, guests: 26)
Robots: 393

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,020
Latest member
GenesisGai

Latest Threads

Top