web.config - encrypting details ASP .NET 1.1

Discussion in 'ASP .Net Security' started by Sal, Dec 1, 2006.

  1. Sal

    Sal Guest

    Unfortunately our organisation isnt planning to migrate to .NET 2.0 for a
    while and I need to tighten the security of the data
    (usernames/pwd/connstrings) in our *.config files.
    From the research I have done, a possible solution is to use DPAPI (Machine)
    + Isolated Storage. I was planning on creating a shared .dll to hold the
    encrypting/decrypting DPAPI functions for thae various applications on the
    server to reference in decrypting values in the *.config files, which would
    then be stored in an Application Session variable on Application_Start
    (Globals.asax). I was going to use Isolated Storage to store the Second
    Entropy to be used as part of the encryption and store it (in encrypted
    format). Yes, I know Isolated Storage is not to be used for storing secret
    data, but the key is in cipher-text and its location is better than just
    putting it in the code.

    Has anyone employed something similar, or can offer an opinion?


    TIA
     
    Sal, Dec 1, 2006
    #1
    1. Advertising

  2. why not use plain DPAPI with the machine key - an attacker would have to
    run code on the server to decrypt the data.

    I have a wrapper here:

    http://www.leastprivilege.com/DPAPITools.aspx

    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Unfortunately our organisation isnt planning to migrate to .NET 2.0
    > for a
    > while and I need to tighten the security of the data
    > (usernames/pwd/connstrings) in our *.config files.
    > From the research I have done, a possible solution is to use DPAPI
    > (Machine)
    > + Isolated Storage. I was planning on creating a shared .dll to hold
    > the
    > encrypting/decrypting DPAPI functions for thae various applications on
    > the
    > server to reference in decrypting values in the *.config files, which
    > would
    > then be stored in an Application Session variable on
    > Application_Start
    > (Globals.asax). I was going to use Isolated Storage to store the
    > Second
    > Entropy to be used as part of the encryption and store it (in
    > encrypted
    > format). Yes, I know Isolated Storage is not to be used for storing
    > secret
    > data, but the key is in cipher-text and its location is better than
    > just
    > putting it in the code.
    > Has anyone employed something similar, or can offer an opinion?
    >
    > TIA
    >
     
    Dominick Baier, Dec 1, 2006
    #2
    1. Advertising

  3. Isolated storage may not behave as expected in ASP.NET

    Since IIS6 does not load a user profile - all isolated storages will end
    up in the AllUsers profile which again means you don't get a clean ACL separation.
    Why not simply store the entropy in the registry (or even a file) and ACL
    it using the individual worker process accounts.

    If application separation is an issue for you - you should run all apps in
    partial trust - this is the only effective way to separate applications on
    a server
     
    Dominick Baier, Dec 1, 2006
    #3
  4. Sal

    Sal Guest

    Thanks Dominick, will look into 'partial trust'.
    In the one scenario I have set up to use DPAPI (machine) + Second Entropy
    using Isolated Storage, the location that Isolated Storage uses is under the
    computers name followed by 'ASPNET' - which I assume is the system user
    responsable for running the website under.
    I was hoping that this shared tool would also generate the second entropy
    for each application and use Isolate Storage and store it according to the
    application, but it looks like to do so you have to have the application
    itself employ Isolated Storage, not the tool. The registry option is one I'll
    look into.
    Thanks.


    "Dominick Baier" wrote:

    > Isolated storage may not behave as expected in ASP.NET
    >
    > Since IIS6 does not load a user profile - all isolated storages will end
    > up in the AllUsers profile which again means you don't get a clean ACL separation.
    > Why not simply store the entropy in the registry (or even a file) and ACL
    > it using the individual worker process accounts.
    >
    > If application separation is an issue for you - you should run all apps in
    > partial trust - this is the only effective way to separate applications on
    > a server
    >
    >
    >
     
    Sal, Dec 3, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. -Steve-

    Encrypting web.config

    -Steve-, Aug 16, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    366
    -Steve-
    Aug 16, 2006
  2. Ollie Riches
    Replies:
    1
    Views:
    1,658
    Gregory A. Beamer
    Dec 4, 2008
  3. Alex. O. Koranteng

    Encrypting web.config file

    Alex. O. Koranteng, Dec 26, 2008, in forum: ASP .Net
    Replies:
    2
    Views:
    816
    Allen Chen [MSFT]
    Jan 2, 2009
  4. VR
    Replies:
    3
    Views:
    297
    Alek Davis
    Sep 9, 2003
  5. Lane
    Replies:
    3
    Views:
    396
    Dominick Baier [DevelopMentor]
    Apr 27, 2006
Loading...

Share This Page