The value of web.config RSA encryption

Discussion in 'ASP .Net' started by Max2006, Oct 22, 2008.

  1. Max2006

    Max2006 Guest

    Hi,

    In our production environment, we would like to protect our database
    connection string against system administrators (they are admin on the web
    server box)
    I went through this article that describes options how to encrypt the
    connection string section within the web.config:

    http://msdn.microsoft.com/en-us/library/ms998283.aspx

    The article explains that aspnet_regiis -pdf can easily decrypt the
    web.config back to clear text situation. That means administrator can
    decrypt all database connection strings. So there is not much point for
    encrypting the web.config for us.

    I wonder if there is any technique, so the decryption won't be easy (like
    using a salt or secondary key that only web application knows)

    Any help would be appreciated,
    Max
     
    Max2006, Oct 22, 2008
    #1
    1. Advertisements

  2. Hi Max,

    Based on my experience it's impossible to protect the connection string
    against system administrators. If we need ASP.NET to get the connection
    string ASP.NET must know how to decrypt it. As we know, system
    administrator has the highest privilege. If the ASP.NET account can know
    the key to decrypt it the system admin can know that as well.

    What I can suggest is, if you don't trust the administrators of the server
    hosting your web site, you can host your web site yourself. If you have no
    other choice maybe you can seek some legal advices.

    Hope my suggestions can help and please let me know if you need further
    assistance.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us.
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Max2006" <>
    | Subject: The value of web.config RSA encryption
    | Date: Wed, 22 Oct 2008 12:18:43 -0400
    | Lines: 1
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | format=flowed;
    | charset="iso-8859-1";
    | reply-type=original
    | Content-Transfer-Encoding: 7bit
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | Importance: Normal
    | X-Newsreader: Microsoft Windows Live Mail 12.0.1606
    | X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
    | X-MS-CommunityGroup-PostID: {0902B0FB-5B0C-4C57-B472-0D309882E5FE}
    | X-MS-CommunityGroup-MessageCategory:
    {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Path: TK2MSFTNGHUB02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:78371
    | NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Hi,
    |
    | In our production environment, we would like to protect our database
    | connection string against system administrators (they are admin on the
    web
    | server box)
    | I went through this article that describes options how to encrypt the
    | connection string section within the web.config:
    |
    | http://msdn.microsoft.com/en-us/library/ms998283.aspx
    |
    | The article explains that aspnet_regiis -pdf can easily decrypt the
    | web.config back to clear text situation. That means administrator can
    | decrypt all database connection strings. So there is not much point for
    | encrypting the web.config for us.
    |
    | I wonder if there is any technique, so the decryption won't be easy (like
    | using a salt or secondary key that only web application knows)
    |
    | Any help would be appreciated,
    | Max
    |
    |
     
    Allen Chen [MSFT], Oct 23, 2008
    #2
    1. Advertisements

  3. Hi Max,

    Have you got the expected answer?

    Regards,
    Allen Chen
    Microsoft Online Support

    --------------------
    | From: "Max2006" <>
    | Subject: The value of web.config RSA encryption
    | Date: Wed, 22 Oct 2008 12:18:43 -0400
    | Lines: 1
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | format=flowed;
    | charset="iso-8859-1";
    | reply-type=original
    | Content-Transfer-Encoding: 7bit
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | Importance: Normal
    | X-Newsreader: Microsoft Windows Live Mail 12.0.1606
    | X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
    | X-MS-CommunityGroup-PostID: {0902B0FB-5B0C-4C57-B472-0D309882E5FE}
    | X-MS-CommunityGroup-MessageCategory:
    {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Path: TK2MSFTNGHUB02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:78371
    | NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Hi,
    |
    | In our production environment, we would like to protect our database
    | connection string against system administrators (they are admin on the
    web
    | server box)
    | I went through this article that describes options how to encrypt the
    | connection string section within the web.config:
    |
    | http://msdn.microsoft.com/en-us/library/ms998283.aspx
    |
    | The article explains that aspnet_regiis -pdf can easily decrypt the
    | web.config back to clear text situation. That means administrator can
    | decrypt all database connection strings. So there is not much point for
    | encrypting the web.config for us.
    |
    | I wonder if there is any technique, so the decryption won't be easy (like
    | using a salt or secondary key that only web application knows)
    |
    | Any help would be appreciated,
    | Max
    |
    |
     
    Allen Chen [MSFT], Oct 27, 2008
    #3
  4. Max2006

    Max2006 Guest

    Hi Allen, Yes I did. Thanks...Max
     
    Max2006, Oct 31, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.