Easily encrypt asp.net 2.0 Web program configuration information

Asp.net|web| Program | encryption

　　 First, Introduction

When creating ASP.net 2.0 applications, developers typically store sensitive configuration information in Web.config files. The most typical example is the database connection string, but other sensitive information included in the Web.config file includes SMTP server connection information and user credential data, and so on. Although ASP.net can be configured by default to deny all HTTP requests for file resources with the extension. config, the sensitive information in the Web.config can still be stolen if a hacker can access the file system of your WEB server. For example, you may accidentally allow anonymous FTP access to your site, allowing a hacker to simply download your Web.config file via the FTP protocol.

Thankfully, ASP.net 2.0 helps alleviate this problem by allowing you to encrypt the selected parts of the Web.config file, such as the <connectionStrings> section, or some custom config sections that your application uses. The configuration section can easily be encrypted using either encoding or Aspnet_regiis.exe (a command-line program). Once encrypted, the Web.config setting avoids "eyeing" the eyes. Also, when you programmatically retrieve the encrypted configuration settings from your asp.net page, ASP.net automatically decrypts the encrypted portions that it reads. In short, once the configuration information is encrypted, you do not need to write any other code in your application or take any further action to use the encrypted data.

In this article, we'll discuss how to programmatically encrypt and decrypt the configuration Settings section, and analyze the use of command-line program aspnet_regiis.exe. We will then evaluate the encryption options provided by ASP.net 2.0. In addition, we will briefly discuss how to encrypt the configuration information in the ASP.net version 1.x.

　　 Second, the premise

Before we begin to explore how to encrypt asp.net 2.0 configuration information, keep in mind the following points:

1. All forms of encryption contain some kind of secret, and the secret is used when encrypting and decrypting data. Symmetric encryption algorithms use the same key when encrypting and decrypting a message, whereas asymmetric cryptographic algorithms use different keys for encryption and decryption. Whichever technique you use, the most important thing is to see how securely the decryption key is saved.

2. The configuration encryption technology provided by ASP.net 2.0 is designed to prevent hackers who are able to retrieve your configuration files in some way. The idea is that if you have a Web.config file on the hacker's computer, then he can't crack the encrypted part. However, when a ASP.net page on a Web server requests information from an encrypted profile, the data must be decrypted to be used (and you do not need to write any code at this time). So if a hacker can upload a asp.net web page that can query the configuration file and display its results to your system, he can view the encrypted settings in plain text. (For more information, refer to the sample ASP.net page provided in this article, which shows the ways to encrypt and decrypt parts of the Web.config file; As you can see, a asp.net page is able to access (and display) the plain text form of the encrypted data)

3. Encryption and decryption of configuration information requires a certain performance cost. As a result, it is usually only the configuration part that contains sensitive information that is encrypted. For example, you might not need to encrypt the <compilation> or <authorization> configuration section.

　　 III. Encryption of what information

Before we analyze how to encrypt asp.net 2.0 configuration information, let's first look at what configuration information can be encrypted. Use. NET Framework 2.0, developers can encrypt most of the configuration parts in Web.config or machine.config files. These configuration sections are XML elements that are child nodes of a <configuration> or <system.web> element. For example, the following example Web.config file contains three configuration settings, explicitly defined as:

<connectionStrings>, <compilation>, and <authentication>.
<?xml version= "1.0"? > >
<configuration xmlns= "http://schemas.microsoft.com/.NetConfiguration/v2.0"
<connectionStrings>
<add name= "membershipconnectionstring" connectionstring= "connectionString"
</connectionStrings>
<system.web>
<compilation debug= "true"/>
<authentication mode= "Forms"/>
</system.web>
Each of these sections can be selectively encrypted or implemented programmatically or through Aspnet_regiis.exe (a command-line tool). When encrypted, the encrypted text is stored directly in the configuration file. For example, if we were to encrypt the <connectionStrings> section above, the resulting Web.config file might look like this: (Note: Space is limited, we omit a chunk <CipherValue>)

<?xml version= "1.0"? > >
<configuration xmlns= "http://schemas.microsoft.com/.NetConfiguration/v2.0"
<connectionstrings configprotectionprovider= "DataProtectionConfigurationProvider"
<EncryptedData>
<CipherData>
<CipherValue> aqaaancmnd8bfderjhoawe/cl+sbaaaaed ... gicalq== </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<system.web>
<compilation debug= "true"/>
<authentication mode= "Forms"/>
</system.web>
In addition, there are some configuration parts that you cannot use to encrypt the technology:

· <processModel>
· <runtime>
· <mscorlib>
· <startup>
· <system.runtime.remoting>
· <configProtectedData>
· <satelliteassemblies>
· <cryptographySettings>
· <cryptoNameMapping>
· <cryptoClasses>

To encrypt these configuration parts, you must encrypt the values and store them in the registry. There is a aspnet_setreg.exe command-line tool to help you implement this process, and we'll discuss this tool later in this article.

The difference between "hint" Web.config and Machine.config:

The Web.config file specifies the configuration settings for a particular Web application and is located under the root directory of the application, while the Machine.config file specifies the configuration settings for all sites on the Web server and is located in the $windowsdir$\ The Microsoft.net\framework\version\config directory.

　　 Four, encryption options

Developers can use the ASP.net 2.0 provider model to protect configuration section information, which allows any implementation to be seamlessly inserted into the API. NET Framework 2.0 provides two built-in providers to protect configuration section information:

· Windows Data Protection API (DPAPI) provider (DataProtectionConfigurationProvider): This provider uses Windows built-in cryptography technology to encrypt configuration sections. By default, this provider uses the local key. You can also use user keys, but this requires a little customization.

· RSA protected Configuration Provider (RsaProtectedConfigurationProvider): Use RSA public key encryption to encrypt the configuration section. Using this provider, you need to create a key container that stores the public and private keys that encrypt the configuration information. You can use RSA at a multiple-server location, as long as you create an output key container.
Of course, you can also create your own protection settings provider if you need to.

In this article, we only discuss using the DPAPI provider to use machine-level keys. This is the simplest method so far, because it does not request the creation of any key or key container. The downside, of course, is that an encrypted configuration file can only be used on a Web server that first implements encryption, and that using the machine key allows encrypted text to be decrypted by any Web site on the Web server.

　　 Five, programmatically encrypt the configuration section

The System.Configuration.SectionInformation class abstracts the description of a configuration section. To encrypt a configuration section, simply use the ProtectSection (provider) method of the Sectioninformation class, passing the name of the provider you want to use to perform the encryption. In order to access a specific configuration section in your application's Web.config file, you can use the WebConfigurationManager class (in the System.Web.Configuration namespace) To refer to your Web.config file, and then use its getsection (sectionname) method to return a ConfigurationSection instance. Finally, you can get a Sectioninformation object via the Sectioninformation property of the ConfigurationSection instance.

Below, we use a simple code example to illustrate the problem:

Privatevoid protectsection (String sectionname, string provider)
{
Configuration config = WebConfigurationManager.
Openwebconfiguration (Request.applicationpath);
ConfigurationSection section = Config. GetSection (sectionname);
if (section!= null &&!section. sectioninformation.isprotected)
{
Section. Sectioninformation.protectsection (provider);
Config. Save ();
}
}
private void Unprotectsection (string sectionname) {
Configuration config =webconfigurationmanager.openwebconfiguration (request.applicationpath);
ConfigurationSection section = Config. Getsectio N (sectionname);
if (section!= null && section. sectioninformation.isprotected)
{
Section. Sectioninformation.unprotectsection ();
Config. Save ();
}
You can call this protectsection (Sectionname,provider) method from a ASP.net page, and the corresponding argument is a section name (such as connectionstrings) and a provider ( such as DataProtectionConfigurationProvider), and it opens the Web.config file, references the section, and invokes the ProtectSection (provider) method of the Sectioninformation object , and finally save the configuration changes.

On the other hand, the unprotectsection (provider) method implements the decryption of a particular configuration section. Here, just pass in the section you want to decrypt-we don't need a trouble provider because that information is already stored in the tag that accompanies the encrypted section (or, in the example above, in the <connectionStrings> section, after being encrypted, It contains the provider: <connectionstringsconfigprotectionprovider= "DataProtectionConfigurationProvider".

Remember, once the data is encrypted, when it is read from a asp.net page (that is, from a SqlDataSource control or programmatically via configurationmanager.connectionstrings[ Connstringname]. ConnectionString read the connection string information), ASP. NET automatically decrypts the connection string and returns the normal text value. In other words, after implementing encryption, you don't need to change your code at all. Pretty cool, right?

From the sample ASP.net 2.0 Web site that is downloaded from this article, you will find a sample page that shows the Web.config file for that site, with a multiline TextBox and a corresponding Web control button to encrypt parts of the configuration file. The ProtectSection () and Unprotectsection () methods discussed above are also used in this example.

　　 vi. using command line tools Aspnet_regiis.exe

You can also use the Aspnet_regiis.exe command-line tool to encrypt and decrypt the Web.config file configuration section, and you may find this tool in the "%windowsdir%\microsoft.net\framework\version" directory. To encrypt a section in the Web.config file, you can use the DPAPI machine key in this command-line tool as follows:

Encrypt the common form of a Web.config file for a particular Web site:

ASPNET_REGIIS.EXE-PEF Section Physical_directory-prov Provider
Or:

Aspnet_regiis.exe-pe Section-app Virtual_directory-prov Provider
To encrypt a specific instance of a Web.config file for a particular Web site:

Aspnet_regiis.exe-pef "connectionstrings" "C:\Inetpub\wwwroot\MySite"-prov "DataProtectionConfigurationProvider"
Or:

Aspnet_regiis.exe-pe "connectionstrings"-app "/mysite"-prov "DataProtectionConfigurationProvider"
The common form of decrypting a Web.config file for a particular Web site:

Aspnet_regiis.exe-pdf Section Physical_directory
Or:

ASPNET_REGIIS.EXE-PD Section-app Virtual_directory
To decrypt a specific instance of a particular Web site's Web.config file:

Aspnet_regiis.exe-pdf "connectionstrings" "C:\Inetpub\wwwroot\MySite"
Or:

You can also specify that the encryption/decryption of machine.config files be performed by Aspnet_regiis.exe.

"Prompt" To encrypt configuration settings in asp.net version 1.x

To protect the configuration settings in the ASP.net version 1.x, developers need to encrypt and store sensitive settings in the registry of the Web server and store them in a "strong" key. Instead of storing encrypted content (as in ASP.net 2.0), the configuration file contains only a reference to the registry key that stores the encrypted value. For example:

<identity impersonate= "true"
Username= "Registry:hklm\software\my_secure_app\identity\aspnet_setreg,username"
password= "Registry:hklm\software\my_secure_app\identity\aspnet_setreg,password"/>
Microsoft provides developers with Aspnet_setreg.exe command-line tools for encrypting sensitive configuration information and moving it to a "strong" registry entry. Unfortunately, this tool works only for specific configuration settings, whereas ASP.net 2.0 allows any configuration section to be encrypted.

For more information about using Aspnet_setreg.exe in a ASP.net 1.x application, refer to kb#32990 in MSDN. Unfortunately, this command-line program only encrypts the predefined sections in configuration settings and does not allow you to encrypt the database connection strings and other sensitive information you add yourself.

　　 Vii. Conclusion

In this article, we learned how to use the different encryption options provided by ASP.net 2.0 to protect configuration section information, and how to use programming techniques and aspnet_regiis.exe to encrypt the configuration sections in Web.config separately. Protecting your sensitive configuration settings helps ensure that your site is more difficult to hack-by making it more difficult to find sensitive configuration settings. Today, ASP.net 2.0 has provided relatively easy encryption and decryption technology, and developers have no reason not to use this approach to protect your sensitive configuration settings.