Encrypting Configuration Information in ASP.NET 2.0 Applications
2007-10-16 12:23
357 查看
http://aspnet.4guysfromrolla.com/articles/021506-1.aspx By Scott Mitchell
Introduction
When creating ASP.NET 2.0 applications, developers commonly store sensitive configuration information in the
Fortunately ASP.NET 2.0 helps mitigate this problem by allowing selective portions of the
In this article we'll see how to programmatically encrypt and decrypt portions of the configuration settings and look at using the
Things to Keep in Mind...
Before we get started exploring how to encrypt configuration information in ASP.NET 2.0, keep the following things in the back of your mind:
All forms of encryption involve some sort of secret that is used when encrypting and decrypting the data. Symmetric encryption algorithm use the same secret key in both encrypting and decrypting a message, whereas asymmetric encryption algorithms use different keys for encrypting and decrypting. Regardless of the technique being used, the encryption scheme is only as safe as the secret key for decrypting.
The configuration encryption capabilities in ASP.NET 2.0 are designed to foil a hacker who somehow is able to retrieve your configuration files. The idea is that if the hacker has your
Encrypting and decrypting configuration sections carries a performance cost. Therefore, only encrypt the configuration sections that contain sensitive information. There's likely no need to encrypt, say, the
That being said, let's get started!
What Information Can Be Encrypted
Before we examine how to encrypt configuration information in ASP.NET 2.0, let's first look at what configuration information, exactly, can be encrypted. The .NET Framework 2.0 libraries include the capabilities to encrypt most any configuration sections within the
Each of these sections can optionally be encrypted, either programmatically or through
There are some configuration sections that you cannot encrypt using this technique:
In order to encrypt these configuration sections you must encrypt the value and store it in the registry. There's an
Encryption Options
Protecting configuration sections in ASP.NET 2.0 uses the provider model, which allows for any implementation to be seamlessly plugged into the API. The .NET Framework 2.0 ships with two built-in providers for protecting configuration sections:
The Windows Data Protection API (DPAPI) Provider (
RSA Protected Configuration Provider (
You can also create your own protected settings providers, if needed.
In this article we'll only explore using the DPAPI provider using machine-level keys. This is, by far, the simplest approach since it doesn't require creating any keys or key containers, or ensuring access and permission rights to user-level keys. Of course, it has the downside that an encrypted configuration file can only be used on the web server that performed the encryption in the first place; furthermore, using the machine key would allow the encrypted text to be decrytable by any website on the web server.
Programmatically Encrypting Configuration Sections
The
This jumble of words should be made clearer by a simple code example (which I'm taking directly from David Hayden's blog entry Encrypt Connection Strings AppSettings and Web.Config in ASP.NET 2.0 - Security Best Practices:
This method David has created -
The
At the end of this article you'll find an ASP.NET 2.0 website download that has a page that shows the site's
Using the
You can also encrypt and decrypt sections in the
You can also specify that
Conclusion
In this article we saw different encryption options ASP.NET 2.0 provides for protecting configuration sections, as well as how to encrypt sections of the
Happy Programming!
Other resources:
Encrypting Connection Strings in web.config file
http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
Video
http://download.microsoft.com/download/8/3/6/836dd5f8-fa92-499f-8219-0d326f13bf18/hilo_tips_final.wmv
http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfigurationSectionsUsingRsaInAspNet20
Custom Configuration Sections in .NET 2.0
http://www.codeproject.com/vb/net/customconfigsectionsNet2.asp
Introduction
When creating ASP.NET 2.0 applications, developers commonly store sensitive configuration information in the
Web.configfile. The cannonical example is database connection strings, but other sensitive information included in the
Web.configfile can include SMTP server connection information and user credentials, among others. While ASP.NET is configured, by default, to reject all HTTP requests to resources with the
.configextension, the sensitive information in
Web.configcan be compromised if a hacker obtains access to your web server's file system. For example, perhaps you forgot to disallow anonymous FTP access to your website, thereby allowing a hacker to simply FTP in and download your
Web.configfile. Eep.
Fortunately ASP.NET 2.0 helps mitigate this problem by allowing selective portions of the
Web.configfile to be encrypted, such as the
<connectionStrings>section, or some custom config section used by your application. Configuration sections can be easily encrypted using code or
aspnet_regiis.exe, a command-line program. Once encrypted, the
Web.configsettings are safe from prying eyes. Furthermore, when retrieving encrypted congifuration settings programmatically in your ASP.NET pages, ASP.NET will automatically decrypt the encrypted sections its reading. In short, once the configuration information in encrypted, you don't need to write any further code or take any further action to use that encrypted data in your application.
In this article we'll see how to programmatically encrypt and decrypt portions of the configuration settings and look at using the
aspnet_regiis.execommand-line program. We'll then evaluate the encryption options ASP.NET 2.0 offers. There's also a short discussion on how to encrypt configuration information in ASP.NET version 1.x. Read on to learn more!
Things to Keep in Mind...
Before we get started exploring how to encrypt configuration information in ASP.NET 2.0, keep the following things in the back of your mind:
All forms of encryption involve some sort of secret that is used when encrypting and decrypting the data. Symmetric encryption algorithm use the same secret key in both encrypting and decrypting a message, whereas asymmetric encryption algorithms use different keys for encrypting and decrypting. Regardless of the technique being used, the encryption scheme is only as safe as the secret key for decrypting.
The configuration encryption capabilities in ASP.NET 2.0 are designed to foil a hacker who somehow is able to retrieve your configuration files. The idea is that if the hacker has your
Web.configfile on his computer, she can't de-scramble the encrypted sections. However, when an ASP.NET page on the web server requests information from an encrypted configuration file, the data must be decrypted to be used (and this happens without you needing to write any code). Therefore, if a hacker is able to upload an ASP.NET web page to your system that queries the configuration file and displays its results, she can view the encrypted settings in plain-text. (There's an example ASP.NET page that can be downloaded at the end of this article that illustrates encrypting and decrypting various sections of the
Web.configfile; as you'll see, an ASP.NET page can access (and display) the plain-text version of the encrypted data.)
Encrypting and decrypting configuration sections carries a performance cost. Therefore, only encrypt the configuration sections that contain sensitive information. There's likely no need to encrypt, say, the
<compilation>or
<authorization>configuration sections.
That being said, let's get started!
What Information Can Be Encrypted
Before we examine how to encrypt configuration information in ASP.NET 2.0, let's first look at what configuration information, exactly, can be encrypted. The .NET Framework 2.0 libraries include the capabilities to encrypt most any configuration sections within the
Web.configor
machine.configfiles. Configuration sections are those XML elements that are children of the
<configuration>or
<system.web>elements. For example, the sample
Web.configbelow has three configuration settings explicitly defined:
<connectionStrings>,
<compilation>, and
<authentication>.
<?xml version="1.0"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <connectionStrings> <add name="MembershipConnectionString" connectionString="connectionString"/> </connectionStrings> <system.web> <compilation debug="true"/> <authentication mode="Forms" /> </system.web> </configuration> |
aspnet_regiis.exe, a command-line tool. When encrypted, the scrambled text is stored directly in the configuration file. For example, if we were to encrypt the
<connectionStrings>section above the resulting
Web.configfile might look like the following: (Note: a large chunk of the
<CipherValue>has been removed for brevity.)
<?xml version="1.0"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider"> <EncryptedData> <CipherData> <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAed...GicAlQ==</CipherValue> </CipherData> </EncryptedData> </connectionStrings> <system.web> <compilation debug="true"/> <authentication mode="Forms" /> </system.web> </configuration> |
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
In order to encrypt these configuration sections you must encrypt the value and store it in the registry. There's an
aspnet_setreg.execommand-line tool to help along with this process; this tool is discussed later in this article in the "Encrypting Configuration Settings in ASP.NET Version 1.x" note.
The Differences Between Web.Configand Machine.Config |
---|
Web.configfiles specify configuration settings for a particular web application, and are located in the application's root directory; the machine.configfile specifies configuration settings for all of the websites on the web server, and is located in $WINDOWSDIR$\Microsoft.Net\Framework\Version\CONFIG. |
Protecting configuration sections in ASP.NET 2.0 uses the provider model, which allows for any implementation to be seamlessly plugged into the API. The .NET Framework 2.0 ships with two built-in providers for protecting configuration sections:
The Windows Data Protection API (DPAPI) Provider (
DataProtectionConfigurationProvider) - this provider uses the built-in cryptography capabilities of Windows to encrypt and decrypt the configuration sections. By default this provider uses the machine's key. You can also use user keys, but that requires a bit more customization. Refer to How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI for more information on this process. Since the keys are machine- or user- specific, the DPAPI provider does not work in settings where you wan to deploy the same encrypted configuration file to multiple servers.
RSA Protected Configuration Provider (
RSAProtectedConfigurationProvider) - uses RSA public key encryption to encrypt/decrypt the configuration sections. With this provider you need to create key containers that hold the public and private keys used for encrypting and decrypting the configuration information. Refer to How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA for more information. You can use RSA in a multi-server scenario by creating exportable key containers.
You can also create your own protected settings providers, if needed.
In this article we'll only explore using the DPAPI provider using machine-level keys. This is, by far, the simplest approach since it doesn't require creating any keys or key containers, or ensuring access and permission rights to user-level keys. Of course, it has the downside that an encrypted configuration file can only be used on the web server that performed the encryption in the first place; furthermore, using the machine key would allow the encrypted text to be decrytable by any website on the web server.
Programmatically Encrypting Configuration Sections
The
System.Configuration.SectionInformationclass abstractly represents a configuration section. To encrypt a configuration section simply use the
SectionInformationclass's
ProtectSection(provider)method, passing in the name of the provider you want to use to perform the encryption. To access a particular configuration section in your application's
Web.configfile, use the
WebConfigurationManagerclass (in the
System.Web.Configurationnamespace) to reference your
Web.configfile, and then use its
GetSection(sectionName)method to return a
ConfigurationSectioninstance. Finally, you can get to a
SectionInformationobject via the
ConfigurationSectioninstance's
SectionInformationproperty.
This jumble of words should be made clearer by a simple code example (which I'm taking directly from David Hayden's blog entry Encrypt Connection Strings AppSettings and Web.Config in ASP.NET 2.0 - Security Best Practices:
[code]private void ProtectSection(string sectionName, string provider) { Configuration config = WebConfigurationManager. OpenWebConfiguration(Request.ApplicationPath); ConfigurationSection section = config.GetSection(sectionName); if (section != null && !section.SectionInformation.IsProtected) { section.SectionInformation.ProtectSection(provider); config.Save(); } } private void UnProtectSection(string sectionName) { Configuration config = WebConfigurationManager. OpenWebConfiguration(Request.ApplicationPath); ConfigurationSection section = config.GetSection(sectionName); if (section != null && section.SectionInformation.IsProtected) { section.SectionInformation.UnprotectSection(); config.Save(); } } [/code] |
ProtectSection(sectionName, provider)- can be called from an ASP.NET page, passing in a section name (like
connectionStrings) and a provider (like
DataProtectionConfigurationProvider), and it opens the
Web.configfile, references the section, invokes the
ProtectSection(provider)method of the
SectionInformationobject, and saves the configuration changes.
The
UnProtectSection(provider)method decrypts a particular configuration section. Here only the section to decrypt needs to be passed in - we don't need to bother with the provider because that information is stored in the markup accompanying the encrypted section (i.e., in the above example, the
<connectionStrings>section, after being encrypted, included the provider:
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">).
And.................... You're Done! |
---|
Keep in mind that once the data is encrypted, when it's read from an ASP.NET page (i.e., reading the connection string information from a SqlDataSource control or programmatically, via ConfigurationManager.ConnectionStrings[connStringName].ConnectionString), ASP.NET automatically decrypts the connection string and returns the plain-text value. In other words, you don't need to change your code one iota after implementing encryption. Pretty cool! |
Web.configfile in a multi-line TextBox, with Button Web controls for encrypting various portions of the configuration file. That example illustrates using both the
ProtectSection()and
UnProtectSection()methods shown above.
Using the
aspnet_regiis.exeCommand-Line Tool
You can also encrypt and decrypt sections in the
Web.configfile using the
aspnet_regiis.execommand-line tool, which can be found in the
%WINDOWSDIR%\Microsoft.Net\Framework\versiondirectory. To encrypt a section of the
Web.configusing the DPAPI machine key with this command-line tool, use:
-- Generic form for encrypting the Web.config file for a particular website... aspnet_regiis.exe -pef section physical_directory –prov provider -- or -- aspnet_regiis.exe -pe section -app virtual_directory –prov provider -- Concrete example of encrypting the Web.config file for a particular website... aspnet_regiis.exe -pef "connectionStrings" "C:\Inetpub\wwwroot\MySite" –prov "DataProtectionConfigurationProvider" -- or -- aspnet_regiis.exe -pe "connectionStrings" -app "/MySite" –prov "DataProtectionConfigurationProvider" -- Generic form for decrypting the Web.config file for a particular website... aspnet_regiis.exe -pdf section physical_directory -- or -- aspnet_regiis.exe -pd section -app virtual_directory -- Concrete example of decrypting the Web.config file for a particular website... aspnet_regiis.exe -pdf "connectionStrings" "C:\Inetpub\wwwroot\MySite" -- or -- aspnet_regiis.exe -pd "connectionStrings" -app "/MySite" |
aspnet_regiis.exeshould perform encryption/decryption on the
machine.configfile instead. See the technical documentation for the ASP.NET IIS Registration Tool (
Aspnet_regiis.exe) for more information on the available command-line switches.
Encrypting Configuration Settings in ASP.NET Version 1.x |
---|
In order to protect configuration settings in ASP.NET version 1.x, developers needed to encrypt and store the sensitive settings in the web server's registry, storing it in a "strong" key. Rather than storing the encrypted content in the configuration file, as in ASP.NET, the configuration file would contain a reference to the registry key holding the encrypted value, a la:<identity impersonate="true" userName="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,password" /> Microsoft made available the aspnet_setreg.execommand-line tool for encrypting the contents of sensitive configuration information and moving it to a "strong" registry entry. Unfortunately this tool only works on specific configuration settings, whereas ASP.NET 2.0 allows encrypting any configuration section. For more information on using aspnet_setreg.exein an ASP.NET 1.x application, see KB #32990 (How to use the ASP.NET utility to encrypt credentials and session state connection strings). Unfortunately, this command-line program only encrypts predefined sections of the configuration settings, and does not allow you to encrypt your own added database connection strings and other sensitive information. In order to encrypt your own content you can use a couple of techniques. The different options are described in Keith Brown's The .NET Developer's Guide to Windows Security Wiki page on How To Store Secrets On A Machine. For a look at implementing the registry approach, which is what the aspnet_setreg.execommand-line tool does for the predefined configuration sections, refer to: How To: Store an Encrypted Connection String in the Registry. |
In this article we saw different encryption options ASP.NET 2.0 provides for protecting configuration sections, as well as how to encrypt sections of the
Web.configusing both programmatic techniques and
aspnet_regiis.exe, a command-line tool. Protecting your sensitive configuration settings can help ensure that your site is more hardened against nefarious hackers by making it more difficult to discover the sensitive configuration settings. And with the ease of encrypting and decrypting this information in ASP.NET 2.0, there's really no excuse not to protect your sensitive configuration settings in this manner.
Happy Programming!
Other resources:
Encrypting Connection Strings in web.config file
http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
Video
http://download.microsoft.com/download/8/3/6/836dd5f8-fa92-499f-8219-0d326f13bf18/hilo_tips_final.wmv
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfigurationSectionsUsingRsaInAspNet20Custom Configuration Sections in .NET 2.0
http://www.codeproject.com/vb/net/customconfigsectionsNet2.asp
相关文章推荐
- [转载]Encrypting Configuration Information in ASP.NET 2.0 Applications
- Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
- Managing Configuration Data Programmatically in ASP.NET 2.0
- Unhandled exceptions cause ASP.NET-based applications to unexpectedly quit in the .NET Framework 2.0
- How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
- Breaking Changes for ASP.NET 2.0 applications running in Integrated mode on IIS 7.0
- 4 ways to send a PDF file to the IE Client in ASP.NET 2.0
- Pro ASP.NET 2.0 in VB 2005
- Using NHibernate and Log4Net in ASP.NET 2.0 applications (cite)
- Master Pages In ASP.NET 2.0
- Creating a NuGet Package in 7 easy steps - Plus using NuGet to integrate ASP.NET MVC 3 into existing Web Forms applications
- Creating Custom Configuration Sections in Web.config Using .NET 2.0's Configuration API
- Configuration Model in .Net 2.0
- Implementing Policy Injection in ASP.NET Applications
- 开始正式的看 Working with Data in ASP.NET 2.0
- Working with Web Resources in ASP.NET 2.0
- ASP.NET MVC 2.0 in Vs2010 :使用C# 4.0中使用动态类型来传递ViewData
- Single Page Applications in ASP.NET MVC 4
- How to programmatically assign a SkinID to a control while using a master page in ASP.net 2.0
- Using the ASP.NET 2.0 ReportViewer in Local Mode