Encrypting connectionString element of web.config

Good afternoon!

I am interested in storing my DB connection strings in web.config files. To make this practical, I would like to use the encryption methods available with ASP.NET 2.0.

Does discountasp.net support this in it's shared web hosting plans?

If so, can I confirm that web applications on discountasp.net run using the "NT AUTHORITY\NETWORK SERVICE" identity?

Are there any special steps I will need to take to encrypt parts of my web.config file?

Any help would be appreciated!


Thanks!

Michael McMorrow
http://www.mobilnet-ny.com

 

We will be discussing whether or not we can support this. From my initial research, it can become very complicated, and it involves our customers creating their own custom RSA key which we will need to import on the server. But as of now, we do not support it.

For anyone interested on how it works: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.asp

Each site at DiscountASP.NET run using their own ASPNET user account, not the NETWORK SERVICE.

DiscountASP.NET
www.DiscountASP.NET

Post Edited (Aristotle [DASP]) : 12/23/2005 2:38:01 AM GMT

 

I suspected as much. I would have to create an encryption key, which would then have to be installed, by you, on your server. While doable, I can appreciate that such a procedure would be difficult to manage on your end.

Thanks for the reply!

Michael McMorrow
http://www.mobilnet-ny.com

 

You could always use the MS Patterns & Practices Enterprise Library to do this.
There are facilities to encrypt the ENTIRE web.config file.

Make sure to read this post in this forum before implementing the enterprise library. You need to remove some of the monitoring functionalities from the EntLib project and rebuild it before making use of the .dll's
http://community.discountasp.net/default.aspx?f=5&m=7459

 

Thanks, Buzzmaster! I'll look into it, and post my findings.


Michael McMorrow


http://www.mobilnet-ny.com

 

UPDATE: Microsoft has not yet published the Cryptography application block portion of the Enterprise Library for .NET 2.0. So, I'm dead in the water at this point.

How are other folks on discountasp.net handling their database connection strings? Is plain-text storage in web.config files or assemblies the norm?

I'd like to hear from you!

- Mikeymac

 

I am using plain text now but would like to encrypt if/when possible.


bill

 

Came across the following snippet in a Microsoft article:
Another situation in which embedding the key in the application source code may be the only option is when the application data owners have limited or no access to the machines hosting their applications. A Web hosting environment is one of the obvious examples. If embedding the key in the application source code is your only option, you must realize the associated risks and address them accordingly.


The major risk in this case comes from reverse engineering and at this time it can only be addressed by obfuscation. Obfuscation does not make reverse engineering impossible, but it can make the process expensive and time consuming. Compare Figure7, which shows a decompiled assembly obfuscated by a Demeanor, to Figure3. Because all nonpublic symbols in the obfuscated assembly are renamed using unprintable characters and the strings are encrypted, reconstructing application logic from the assembly may be next to impossible. Commercial decompilers, such as Salamander, can make the job of reverse engineering easier by converting nonprintable characters to their printable equivalents and converting application classes into source files, but they cost money and still require a hacker to make sense of the unreadable symbols (this is where spaghetti code could actually help you!).
If you define the key in the application, in addition to obfuscating the assembly, try not to store the actual key bytes in the source code. Instead, implement key-generation logic using persistent characteristics, such as the encryption algorithm, key size, pass phrase, initialization vector, and salt (see an example at Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key). This will introduce an extra layer of indirection, so the key will not be accessible by simply dumping the symbols from the application binary. As long as you do not change key-generation logic and key characteristics, the resulting key is guaranteed to be the same. It may also be a good idea not to use static strings as key-generation characteristics, but rather build them on the fly. Another suggestion would be to treat the assembly the same way as the data store should be treated, that is, by applying the appropriate ACLs. And only use this option as a last resort, when none of the other data protection techniques work and your only alternative is leaving sensitive data unencrypted.

...so...you can define a custom encryption algorithm, encrypt your connection string offline, add the encrypted value to your web.config file, and add a custom decryption algorithm to your source code. Every time you need the connection string, you will need to call the custom decryption method to retrieve it. Obfuscate the hell out of your code.

None of this will make your application very secure, but perhaps it will be secure enough for your purposes. In truth, if we really want superior security, we'll have to pay more than 10 - 30 dollars/month for shared hosting.

Note to discountasp.net: You might offer storage of encryption keys in secure locations as an additional service...charge another 10bucks/month for management of the keys. Food for thought...

 

Forgive the ignorance of a newbie who is not very knowledgable about encryption, but I am struggling to understand why RSA encryption keys need to be installed at DiscountASP.NET.

The VWD Express help says that nothing more is required other than to use

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

to encrypt the connection strings of the Web.config file. I thought that the decryption information would simply then be incorporated into one's application assembly on pre-compilation?

So I thought:

1. encrypt using aspnet_regiis
2. pre compile
3. upload to DiscountASP

no problem?

Why would this not work?

Thanks for your time,

Bruce


PS I also found the following at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.asp
<A name=paght000006_step2></A>Step 2. Choose Machine-Level or User-Level Key Containers


The RSAProtectedConfigurationProvider supports machine-level and user-level key containers for key storage. Machine-level key containers are available to all users, but a user-level key container is available to that user only.


The choice of container depends largely on whether or not your application shares a server with other applications and whether or not sensitive data must be kept private for each application.
Machine Key Container


Use a machine-level key container in the following situations:
<UL type=disc>
[*]Your application runs on its own dedicated server with no other applications.
[*]You have multiple applications on the same server and you want those applications to be able to share sensitive information and the same encryption key. [/list]


RSA machine key containers are stored in the following folder:


\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
User Key Container


Use a user-level key container if you run your application in a shared hosting environment and you want to make sure that your application's sensitive data is not accessible to other applications on the server. In this situation, each application should have a separate identity and the resources for the application?such as files, and databases?should be restricted to that identity.


RSA user-level key containers are stored in the following folder:


\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA









Post Edited (Bruce) : 1/13/2006 6:29:47 PM GMT

 

Hi, Bruce!

In the article you linked to, read the following line:

Note RSA user-level key containers are stored in the following folder.
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA

In a shared hosting environment, you don't have access to this folder. The host's staff would have to copy the key to this directory for you. Also, you can't run the aspnet_regiis command on the host server.

If anyone thinks I'm all wet on this (and I hope I am!), please post a reply explaining why. I would also like to learn how other users are handling application/database security in a hosted environment.

Thanks!

Mikeymac

 

Yep.


After independently beating my head against this wall - I am back to the config API.


Yay microsoft.

 

I'm also a newbie to ASP.NET.
Can someone please explain the best method for securing web.config?

 

Hi mikeymac

I'm intrigued by your comment: "...add a custom decryption algorithm to your source code....None of this will make your application very secure".

Why would it not be secure?

 

Steven: If the decryption algorithm resides in your source code, then a skilled intruder can run the algorithm themselves. They could create another .aspx page on the server, add the decryption algorithm, and write the decrypted connection stringout to a label.

I believe that thismakes your application a bit more secure than storing yourconnection string in plain text(the intruder will have to jump through a few hoops), but you would be fooling yourself if you thought that your application was "locked down".

I think the experts call this "security by obscurity".

All we are doing is making it a little more tedious for a skilled attacker to get a hold of our information. We encrypt at the application level, we obfuscate, we validate input fields against injection attacks, we store only that data which is absolutely critical to the functionality of our application, we count on discountASP.net to take care of server security...and we pray.

 

I submitted my proposed solution using user level key containers


http://community.discountasp.net/default.aspx?f=24&amp;m=9239


to DiscountASP, but they said it wouldn't work due to the fact that users on their server don't have user profiles. What does this mean and why is it relevant?


As far as I know, all that is required for user level keys to work is import to/storage of the key in the user's windows account directory, and that the Web.config encryption is performed by the same user identity under which the web app runs. My solution provides for both of these contingencies.


Anyone have any insight?


Ta,





Bruce

 

Steven: Dotnetfuscator(Free edition) comes bundled with VS2005. For better obfuscation, you will have to purchase the full edition of Dotnetfuscator, or another .NET obfuscation tool like Salamander.

 

Thanks mikeymac


Sounds like a lotmore effort for little reward. How often does DiscountASP.net back up? To your knowledge, has DiscountASP.net every been breached? One thing I found interesting is that when you connect to DiscountASP.net's SQL2005 database, you can see the names of everyone else's, but the same is true of every intranet I've worked with, so I guess it's no cause for concern.


Nonetheless,I'd like to use obfuscation. Do you have some sample code (preferably VB) or site I can find it?


Steve

 

I'm using MWD 2005 Express, which doesn't seem to have Dotnetfuscator; have googled for it without any luck. Can anyone tell me a URL so that I can download it?


I would appreciate any comments on the article http://builder.com.com/5102-6373-1052981.html. Sounds assecure as using aspnet_regiis, or is it? I've also tried http://www.codeproject.com/aspnet/secure_connectionstrings.asp, but I get build errors; although it's in C# and I'm using VB, it should still work.


From what I'veread on these forums, there are a still lot of peopleusing unencrypted web.config files. Please help - can anyone come up with a simple, workable solution?