Recipe 12.8. Encrypting web.config Sections


Problem

You have sensitive data in your web.config file, such as the connection string used to access your database, that you do not want available in plain text.

Solution

Use the Protected Configuration feature to encrypt the sensitive information stored in web.config:

  1. Add the sensitive information to your web.config, such as a <connectionStrings> element:

     <configuration> <connectionStrings> <add name="sqlConnectionString" connectionString="Data Source=localhost; Initial Catalog=ASPNetCookbook; UID=ASPNetCookbook_User;PWD=w0rk; persist security info=False;Connection Timeout=30;" /> </connectionStrings> … </configuration> 

  2. Add a <machineKey> element to your web.config:

     <configuration> …   <system.web>   <machineKey validationKey="AutoGenerate,IsolateApps"  decryptionKey="AutoGenerate,IsolateApps" />   </system.web> </configuration> 

  3. Run the aspnet_regiis.exe tool to encrypt the sensitive data element, such as the <connectionStrings> element with the following command:

     aspnet_regiis -pe "connectionStrings" -app "[Your Application Name]" 

  4. Run the aspnet_regiis.exe tool to encrypt the <machineKey> element:

     aspnet_regiis -pe "system.web/machineKey" -app "[Your Application Name]" 

  5. Run the aspnet_regiis.exe tool to grant access to the key container by the ASP.NET identity:

     aspnet_regiis -pa "NetFrameworkConfigurationKey" "[ASP.NET User]" 

Discussion

Applications frequently contain sensitive data in their web.config files, such as a database connection string that contains the credentials required to access the database. If this information is stored in your web.config in plain text, anyone who gains access to the web.config file will have the credentials to access the database for your application.

ASP.NET 1.x had no provisions for storing sensitive data in web.config other than in plain text. ASP.NET 2.0 provides the ability to encrypt sensitive data in web.config and to decrypt the data automatically when needed by your application without requiring any changes to your code.

The first step in encrypting elements in web.config is to add the element, such as <connectionStrings>, and test your application to ensure the data has been entered correctly. This is important since once the data is encrypted it cannot be changed without it first being decrypted (decrypting is discussed later).

Next, you need to add a <machineKey> element to web.config. The <machineKey> element configures the keys used for forms authentication cookie data, view state data, and managing the encrypted element(s). The attributes of the <machineKey> element are described as follows:


decryptionKey

The decryptionKey attribute defines the key that will be used for encryption and decryption or the process that will be used to generate the keys. The value can be set to "AutoGenerate", "AutoGenerate,IsolateApps", or a string of hexadecimal characters. "AutoGenerate,IsolateApps" is the default. When set to "AutoGenerate", ASP.NET generates a randomkey. When the value is set to "AutoGenerate,IsolateApps", ASP.NET generates a unique key for each application using each application's ID. Setting the value to a hexadecimal string allows you to control the key and is required if your application runs on multiple servers where the keys must be identical on each server.


decryption

The decryption attribute defines the hashing algorithmused for encrypting/decrypting the data. The value can be Auto, AES, or 3DES. The default is Auto.


validationKey

The validationKey attribute defines the key that will be used for validation of encrypted data. The validationKey is not used for encryption/decryption of web.config elements. It is used to generate the message authentication code (MAC) when the enableViewStateMAC attribute is set to true. The value can be set to "AutoGenerate", "AutoGenerate,IsolateApps", or a string of hexadecimal characters. "AutoGenerate,IsolateApps" is the default. When set to "AutoGenerate", ASP.NET generates a random key. When the value is set to "AutoGenerate,IsolateApps", ASP.NET generates a unique key for each application using each application's ID. Setting the value to a hexadecimal string will allow you to control the key and will be required if your application runs on multiple servers where the keys must be identical on each server.


validation

The validation attribute defines the type of encryption used for validating data. The value can be AES, MD5, SHA1, or tripleDES. The default is SHA1.

Once web.config is set up, the aspnet_regiis.exe tool is used to performthe data encryption. Open a command prompt and change to the %SystemRoot%\Microsoft.NET\Framework\%VersionNumber%\ folder where the aspnet_regiis.exe tool is located. To encrypt the <connectionStrings> element in web.config, execute the following command in the command window, substituting the virtual path of your application for [Your Application Name].

 aspnet_regiis -pe "connectionStrings" -app "[Your Application Name]" 

The <connectionStrings> element of web.config will be changed with the sensitive data encrypted, as follows. (The CipherValue elements have been shortened for clarity.)

 <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> k<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"     xmlns="http://www.w3.org/2001/04/xmlenc#">         <EncryptionMethod   Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">   <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">     <EncryptionMethod    Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">   <KeyName>Rsa Key</KeyName>     </KeyInfo>     <CipherData>   <CipherValue>VJyz/bFoxgJU2PWl…..</CipherValue>       </CipherData>   </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>Bb/JK94rxfCphYQebP3s…..</CipherValue> </CipherData> </EncryptedData>    </connectionStrings> … </configuration> 

The next step is to encrypt the <machineKey> element to protect the key information. To encrypt the <machineKey> element, execute the following command in the command window, substituting the virtual path of your application for [Your Application Name].

 aspnet_regiis -pe "system.web/machineKey" -app "[Your Application Name]" 

The <machineKey> element of web.config file will be changed with the key data encrypted as follows. (The CipherValue elements have been shortened for clarity.)

 <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> …   <system.web>      <machineKey configProtectionProvider="RsaProtectedConfigurationProvider">     <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"   xmlns="http://www.w3.org/2001/04/xmlenc#">   <EncryptionMethod  Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>aVVNMATLnm48…..</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>f9/2H0sgeSeZIC/t…..</CipherValue> </CipherData>   </EncryptedData>    </machineKey> …  </system.web>    </configuration> 

The final step to encrypting data in web.config is to grant access to the key container for the ASP.NET user. The aspnet_regiis.exe tool is once again used with the following command, substituting the ASP.NET user account on your server for [ASP.NET User]:

 aspnet_regiis -pa "NetFrameworkConfigurationKey" "[ASP.NET User]" 

By default, the ASP.NET user is ASPNET when using Windows 2000 Server and NT AUTHORITY\NETWORK SERVICE when using Windows 2003 Server. If you have configured ASP.NET to use another user, you will need to use that user account. The name of the ASP.NET user can be determined by creating an ASP.NET page with the following content and displaying the page in a browser:

 

<%@ Page Language="VB" %> <% Response.Write(System.Security.Principal.WindowsIdentity. GetCurrent().Name) %>

<%@ Page Language="C#" %> <% Response.Write(System.Security.Principal.WindowsIdentity. GetCurrent().Name); %>

When determining the ASP.NET user, displaying this page while running in Visual Studio 2005 will report the user as the logged in user, not the account under which ASP.NET runs.


Granting access to the key container must be done on all servers where your application will run. If you fail to grant access, ASP.NET will not be able to decrypt the data in web.config.


If you need to change the encrypted data in web.config, you will need to decrypt the data, make the required changes, and then encrypt the data again. The decryption is performed by using the aspnet_regiis.exe tool, this time using pd command-line parameter:

 To decrypt the <connectionStrings> element: aspnet_regiis -pd "connectionStrings" -app "[Your Application Name]" To decrypt the <machineKey> element: aspnet_regiis -pe "system.web/machineKey" -app "[Your Application Name]" 

See Also

"Encrypting Configuration Information Using Protected Configuration" in the MSDN Library



ASP. NET Cookbook
ASP.Net 2.0 Cookbook (Cookbooks (OReilly))
ISBN: 0596100647
EAN: 2147483647
Year: 2003
Pages: 202

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net