Prizes & Awards
My Profile
Active Members
TodayLast 7 Days
more...
|
|
|
 New Feature: Community Sites:
Create your own .NET community website and start earning from Google AdSense !
It's Free !
|
Resources » Articles » ASP.NET/Web Applications »
Encrypting Web.config in ASP.NET 2.0 Applications:
|
When creating ASP.NET 2.0 applications, developers commonly store sensitive configuration information in the Web.config file. The cannonical example is database connection strings, but other sensitive information included in the Web.config file can include SMTP server connection information and user credentials, among others. While ASP.NET is configured, by default, to reject all HTTP requests to resources with the .config extension, the sensitive information in Web.config can be compromised if a hacker obtains access to your web server's file system. For example, perhaps you forgot to disallow anonymous FTP access to your website, thereby allowing a hacker to simply FTP in and download your Web.config file.
Fortunately ASP.NET 2.0 helps by allowing selective portions of the Web.config file to be encrypted.
When retrieving encrypted congifuration settings programmatically in your ASP.NET pages, ASP.NET will automatically decrypt the encrypted sections its reading. In short, once the configuration information in encrypted, you don't need to write any further code or take any further action to use that encrypted data in your application. Encrypting and decrypting configuration sections carries a performance cost. Therefore, only encrypt the configuration sections that contain sensitive information. There's likely no need to encrypt, say, the <compilation> or <authorization> configuration sections.
The .NET Framework 2.0 libraries include the capabilities to encrypt most any configuration sections within the Web.config or machine.config files. Configuration sections are those XML elements that are children of the <configuration> or <system.web> elements. Each of these sections can optionally be encrypted, either programmatically or through aspnet_regiis.exe, a command-line tool. When encrypted, the scrambled text is stored directly in the configuration file. An encrypted section may look like:
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAed...GicAlQ==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
There are some configuration sections that you cannot encrypt using this technique:
• <processModel>
• <runtime>
• <mscorlib>
• <startup>
• <system.runtime.remoting>
• <configProtectedData>
• <satelliteassemblies>
• <cryptographySettings>
• <cryptoNameMapping>
• <cryptoClasses>
In order to encrypt these configuration sections you must encrypt the value and store it in the registry.
The .NET Framework 2.0 ships with two built-in providers for protecting configuration sections:
• The Windows Data Protection API (DPAPI) Provider (DataProtectionConfigurationProvider) - this provider uses the built-in cryptography capabilities of Windows to encrypt and decrypt the configuration sections. By default this provider uses the machine's key. You can also use user keys, but that requires a bit more customization. Since the keys are machine- or user- specific, the DPAPI provider does not work in settings where you wan to deploy the same encrypted configuration file to multiple servers.
• RSA Protected Configuration Provider (RSAProtectedConfigurationProvider) - uses RSA public key encryption to encrypt/decrypt the configuration sections. With this provider you need to create key containers that hold the public and private keys used for encrypting and decrypting the configuration information. You can use RSA in a multi-server scenario by creating exportable key containers.
You can encrypt and decrypt sections in the Web.config file using the aspnet_regiis.exe command-line tool, which can be found in the %WINDOWSDIR%\Microsoft.Net\Framework\version directory. To encrypt a section of the Web.config using the DPAPI machine key with this command-line tool, use:
aspnet_regiis.exe -pe section -app virtual_directory –prov provider
example:
aspnet_regiis.exe -pef "connectionStrings" "C:\Inetpub\wwwroot\MySite" –prov "DataProtectionConfigurationProvider"
For decrypting:
aspnet_regiis.exe -pd section -app virtual_directory
example:
aspnet_regiis.exe -pd "connectionStrings" -app "/MySite"
You can use both physical path or virtual path of your config file.
|
Responses
|
| Author: Mahesh Raj 07 Jun 2008 | Member Level: Gold Points : 1 | This is very good information,Continue posting such useful articles.
| | Author: John Fernandez 08 Jun 2008 | Member Level: Gold Points : 1 | Very well written Article.Thanks for sharing this information.
|
|