Archive for February, 2006

Often its a common requirement to store the connection string in some global place and often web.config is the place  where you ll ends up with.There are many +ve points storing connection string in web.config like you can change the same to poitns to a different server ,you ll get inbuilt caching of te connection string and a great place to maintain your data application wide.Now comes the  next question Since web.config is nothing but simply a xml file  how can I restrict the users to see what my connectionstring or password is ?? and this question lands you into few more questions based on the approach you choosed.

 

Coming to the approach the ideal scenario would I should able to encrypt my data before i store and store into a  place from where I can easily pick the decrypted values to be used by my application.Further question introduced are will the same would be applicable userwide or systemwide that what the storage would be and what would eb the encryption ,Decryption methods and finally what would be the process to fetch the data in usable format from the encrypted secure store.

 

In asp.net 1.1 the approach to achieve the above goals are to

– use a routine for the encrytion and decryption using the DPAPI

-use a Routine to Write the encrypted data to Registry(aspnet_setreg is what going to help you here).

-Finally pick the data ,decrypt it and get the connectionstring back

However you need to aware with with what account you are running asp.net and whether that account should have the access to the registry or to the store .To overcome that you normally endsup with another account which did this for you like write a com+(or ES) apps and run the apps in an account to perfom this task for you and you are calling the com+ to get the secured data back.Finaly whatever approach you follow you need to spent quite a few effort to make this happen.

To overcome all these While Shipping ASP.NET2.0 the teams provides a lot more functionality to handle this scenario effectively.Before writing how can you handle the same in ASP.NET 2.0  let me clarify you that now you have a Protected datasection in Webconfig where you can store your enncrypted values and even you can dynamically modify the web.config (new feature in asp.net2.0 thru the config API.).

 

 

Stepwise Approach to Secure Connection String in Asp.net 2.0:-

 

1. Create a connectionstring section in web.config:-

<connectionStrings>

                        <add name=”Myconnstr” connectionString =”Data Source=shreeman;Initial Catalog=Northwind;Integrated Security=True”/>

</connectionStrings>

 

2. Run aspnet_regiis –pe <the section you want to configure> -app <the virtual path starts with a forward slash> optionally you can provide the machine or user store.

 

3. Get the connection string:-

Response.Write(ConfigurationManager.ConnectionStrings[“Myconnstr”].connectionString.ToString());

 

4.If you need to provide a provider for the same you can provide .you can also choose the machine level and User level setting for storign the config data.

 

5.You can encrypt not only connectionstring but also

<appSettings>

<identity> Web application identity. Can contain impersonation credentials.

<sessionState>

 

6.If you want to revert back to the Cleartext (for getting the web.config back to older state)

aspnet_regiis –pd with same params

 

7.you can also dynamically write into the web.config:-

Configuration config= ConfigurationManager.OpenExeConfiguration(“”);

        config.ConnectionStrings.ConnectionStrings.Add(new ConnectionStringSettings(“myconnstr”,”Data Source=shreeman;Initial Catalog=Northwind;Integrated Security=True”));

        config.Save(ConfigurationSaveMode.Modified);

 

8.Finally play with the other option of config data section in aspnet_regiis under Configuration Encryption Section

Lioke asp_regiis –pef,aspnet_regiis -pdf ..etc;

 

NOTE : Remember that if you are using the machine store or the default store the account under which asp.net is  running should have the access to the provider.

For Example if you are running the same under netwrok service account and using RSA encryption .Then  Network Service should have the permissin to to the folder” C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA”

 Still  You wants to explore more on this .If yes have alook into the following :-

 

patterns & practices Security How Tos Index(MUST READ FOR ALL)

Channel9 screen Cast video

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

How to use the ASP.NET utility to encrypt credentials and session state connection strings

http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT11.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp

 

Overview of Protected Configuration

Security Guidelines: ASP.NET 2.0

Encrypting the connection string in ASP.NET V2.0

Walkthrough: Encrypting Configuration Information Using Protected Configuration :-LinkI and LinkII

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Few More:-

http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

 http://weblogs.asp.net/owscott/archive/2005/07/29/421063.aspx

Hope this provides an overview of the topic.

Update:-

I observed little interesting behavior with the secure connectionstring that is to encrypt the connection string using RSA.

I was getting error that the Decryption was failed and the web server timed out.

For the remedy I provide the “Network Service” account access to folder “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys” and everything works like a charm. I thought that the decryption was failing because the Account under which ASP.Net is running is not having the write perm thus the error I solved my problem but that was not end of the story.

 

When I came back the next dayand start using my old 1.1 application I starts getting exception as Cryptographic failure for loading the assembly as well as Com Interop Errors .I solved the Interop Errors by re adding the REF but the cryptographic errors was gone by once I removed the NETWORK SERVICE permission from the above mentioned folder.

REMEDIES

 

Renaming the MachineKeys to MachineKey Fix the problem with 1.1 applications but Now the 2.0 Protected Configuration is failing as it will create a new folder named MachineKeys and place the updated file (MachineKey) while doing

Aspnet_regiis  -pe “sectionnameyouwanttosecure” /app “/virtualpathofapp”

 

Now rename back to MachineKeys and provide the access to NetWorkService and 1.1 will failed at compile, build time. Interestingly though I didn’t found the Cryptographic error if I am running the EXE alone

 

Note: – I don’t think I am hitting the CS1548 as the assembly signing is correct and it uses the relative path. ..\\..\\..\\ .Although the error desc are the same.