Advanced ASP.NET Security


This section of the chapter is about one of the more advanced topics concerning ASP.NET security: securing sensitive configuration settings. If you are looking for information on general security or general encryption, other chapters in this book are more appropriate, such as Chapter 15, "Cryptography and Data Protection." This section deals only with advanced ASP.NET security topics.

Using Protected Configuration Settings

When you create your ASP.NET application, more often than not, the connection strings used by your data tier end up in the Web.config file. This is even more common in ASP.NET 2.0, where there is a special connectionStrings element that is part of every application configuration file, whether it is for ASP.NET or Windows Forms.

The problem with this pattern is that it leaves your valuable connection string information completely exposed. If you are using password-based authentication against the database server, the username and password of a database user are sitting in plain text in the file, along with the name and/or IP address of the database server itself. In some situations you cannot afford to have this information available for viewing, but you still want the ease of use of the .NET configuration API.

With .NET 2.0, there is now a way to encrypt sections of a configuration file using the same technique that is used to encrypt pieces of SOAP envelopes when using secure Web Services. This encryption (and associated decryption) is done with the aspnet_regiis.exe tool, which is found in the following directory:

[drive]:\[windows directory]\Microsoft.NET\Framework\v[version] 


Using the -pe option, you can encrypt a section of a Web.config file hosted as a virtual directory in IIS. Using the -pef option, you can encrypt a section of a Web.config file in a physical directory if you are not using IIS and you're just using Visual Studio 2005's built-in web server to test your applications.

To start this sample, create a new Web Site called ProtectedSettings. Add a Web.config file to it and add the following <connectionStrings> element:

[View full width]

<connectionStrings> <add name="SqlServices" connectionString="Data Source=".\SQLExpress; Integrated Security=SSPI; Initial Catalog=Northwind;" /> </connectionStrings>


This is a simple connection string. The problem is that if this connection string contained sensitive machine names and passwords, we would need to be able to encrypt that to prevent prying eyes from seeing it while still allowing the application to access the information.

To encrypt this section, in a file-based web application, you can enter a command similar to the one in the following code:

aspnet_regiis -pef "connectionStrings" "d:\sams\c# unleashed 2005\chapters\28\code\protectedsettings" -prov "RSAProtectedConfigurationProvider" 


Obviously you won't want to have the carriage returns in your command-line statement. After running this command, your new Web.config file looks like the text shown in Listing 28.1.

Listing 28.1. A Web.config File Containing an Encrypted Connectionstrings Element

<?xml version="1.0"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">     <protectedData>         <protectedDataSections>             <add name="connectionStrings" provider="RsaProtectedConfigurationProvider" inheritedByChildren="false"/>         </protectedDataSections>     </protectedData>     <appSettings/>     <connectionStrings>         <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">                 <EncryptedKey Recipient="" xmlns="http://www.w3.org/2001/04/xmlenc#">                     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>                     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">                        <KeyName>Rsa Key</KeyName>                     </KeyInfo>                     <CipherData>                         <CipherValue>...</CipherValue>                     </CipherData>                 </EncryptedKey>             </KeyInfo>             <CipherData>                 <CipherValue>...</CipherValue>             </CipherData>         </EncryptedData>     </connectionStrings>     <system.web>         <compilation debug="true"/>         <authentication mode="Windows"/>     </system.web> </configuration> 

I cut out the actual hexadecimal characters of the encrypted data and replaced them with ellipses (...) in Listing 28.1 to make it easier to read. To prove that even after the encryption process you can still read the configuration file just as before from within the ASP.NET application, create a Web Form with the following lines of code in the code-behind:

foreach (ConnectionStringSettings css in ConfigurationManager.ConnectionStrings) {   Response.Write(css.Name + ": " + css.ConnectionString + "<BR/>"); } 


When you debug this page in Visual Studio 2005, you should see that the connection string has been completely decrypted for you and is ready to pass to your ADO.NET data provider of choice.

Keep in mind that the private key used to encrypt the data contained in the Web.config file isn't actually written inside that file. This means that if you copy the encrypted Web.config from one server to another, the second server will be unable to decrypt the information. For more information on using private key encryption and how to deal with the issues that arise from sharing information among multiple servers, check out Chapter 15.



Microsoft Visual C# 2005 Unleashed
Microsoft Visual C# 2005 Unleashed
ISBN: 0672327767
EAN: 2147483647
Year: 2004
Pages: 298

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net