ASP. net2.0 webconfig file and password [a problem that may be ignored]

You can use protected configurations to encrypt sensitive information (including user names and passwords, database connection strings, and encryption keys) in the Web application configuration file (such as the Web. config file ). After the configuration information is encrypted, even if attackers obtain access to the configuration file, attackers cannot obtain access to sensitive information, thus improving application security.

Encrypt the database connection string of the Application of Asp.net 2.0. For example, an unencrypted configuration file may contain a section specifying the connection string used to connect to the database, as shown in the following example:

<Configuration>

<Connectionstrings>

<Add name = "samplesqlserver" connectionstring = "Data Source = localhost; Integrated Security = sspi; initial catalog = northwind;"/>

</Connectionstrings>

</Configuration>

ASP. NET 2.0 has a new security feature. Any configuration section in the web. config file can be encrypted. You can run the aspnet_regiis tool or program to complete this work. If you can directly access your web server, you can run the following command line:

Cd % WINDOWS %/Microsoft. NET/framework/versionnumber

Aspnet_regiis-pe "connectionstrings"-app "/sampleapplication"-prov rsaprotectedconfigurationprovider

 

-Pd section [decryption]

Decrypts the configuration section. This parameter uses the following optional parameters:

·-The app virtualpath specifies that decryption should be performed at the included path level.

·-Location subpath specifies the subdirectory to be decrypted.

·-PKM specifies that the machine. config file should be decrypted instead of the web. config file.

-PDF section webapplicationdirectory

Decrypts the specified configuration section of the web. config file in the specified physical (non-virtual) directory.

 

-PE section [encryption]

Encrypts the specified configuration section. This parameter uses the following optional modifier:

·-Prov provider specifies the encryption provider to be used.

·-App virtualpath indicates that encryption should be performed at the included path level.

·-Location subpath specifies the subdirectory to be encrypted.

-PKM specifies that the machine. config file should be encrypted instead of the web. config file.

-Wordpress section webapplicationdirectory

Encrypts the specified configuration section of the web. config file in the specified physical (non-virtual) directory.

If you are using a virtual host or other server that cannot access the physical server, you can still encrypt the connection string through programming:

1 configuration Config = configuration. getwebconfiguration (request. applicationpath );

2 configurationsection section = config. Sections ["connectionstrings"];

3 section. sectioninformation. protectsection ("rsaprotectedconfigurationprovider ");;

4 config. Update ();

 

Details 1 

Use dataprotectionconfigurationprovider to create the test. aspx file. The Code is as follows:
Add reference
Using system. Web. configuration;
Using system. IO;

// Encryption
Protected void button#click (Object sender, eventargs E)
{
Configuration Config = webconfigurationmanager. openwebconfiguration (request. applicationpath );
Configurationsection section = config. getsection ("connectionstrings ");

If (section! = NULL &&! Section. sectioninformation. isprotected)
{
Section. sectioninformation. protectsection ("dataprotectionconfigurationprovider ");
Config. Save ();
}

}
// Decrypt
Protected void button2_click (Object sender, eventargs E)
{
Configuration Config = webconfigurationmanager. openwebconfiguration (request. applicationpath );
Configurationsection section = config. getsection ("connectionstrings ");

If (section! = NULL & section. sectioninformation. isprotected)
{
Section. sectioninformation. unprotectsection ();
Config. Save ();
}
}

Conclusion: This method is convenient and simple, but the security is not highly secure.

II,
Use the "rsaprotectedconfigurationprovider" format for encryption
The test. aspx program file is basically the same as above,
Set
Section. sectioninformation. protectsection ("dataprotectionconfigurationprovider ");
Change
Section. sectioninformation. protectsection ("rsaprotectedconfigurationprovider ");
However, when you visit the website, it is very likely that

Note: An error occurred while processing the configuration file required to provide services to the request. Check the following error details and modify the configuration file as appropriate.
Analyzer error message: the provider "rsaprotectedconfigurationprovider" cannot be used for decryption. The error message returned by the provider is: the RSA key container cannot be opened.

 

Currently, the configuration files encrypted with protected configurations do not display the connection strings in plaintext, but store them in encrypted format, as shown in the following example:

<Configuration>

<Connectionstrings configprotectionprovider = "rsaprotectedconfigurationprovider">

<Encrypteddata type = "http://www.w3.org/2001/04/xmlenc#Element"

Xmlns = "http://www.w3.org/2001/04/xmlenc#">

<Encryptionmethod algorithm = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

<Keyinfo xmlns = "http://www.w3.org/2000/09/xmldsig#">

<Encryptedkey xmlns = "http://www.w3.org/2001/04/xmlenc#">

<Encryptionmethod algorithm = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

<Keyinfo xmlns = "http://www.w3.org/2000/09/xmldsig#">

<Keyname> RSA key </keyname>

</Keyinfo>

<Cipherdata>

<Ciphervalue> rxo/zmmy3sr0iojof4ooxkfxwelvypt0riwp2mypr3fu + r6bpfvsqb384pohivkyny7dm4lpgr2be9f
7k6tbllvjfvnqu7p7d/yjnhzghwwkmqb0m0t0y8dowogkddxfxs1uxihtknc + 2a7ugtgh6d

I3n572qxdfmgfqc7zbwne =

</Ciphervalue>

</Cipherdata>

</Encryptedkey>

</Keyinfo>

<Cipherdata>

<Ciphervalue> kmnkbuv9noid8puvdnly5i8r7baegncjkwygshw8clkjrxsm7zeirmay/ctaniu8rfk92kvkek83
+ Ulqd + random

11i + timeout
99tmy3kyjtmrw/WS/xo3z9z1b1kohe5ok/yx1yv0 + uk4/yuzo0bjk + rerg505ymfrvtxsj4ee418

Bytes + teraee/sibcra8m/n
9 bpllrjkub + urigloaj + xhym // fmcclacveklba6vkrcbqhejsny2f522yathc0 + wxuwqif7rsiphc0 +

Mt1hb1szjd8dmpgtzuyzcl51dochy + hz4vlze =

</Ciphervalue>

</Cipherdata>

</Encrypteddata>

</Connectionstrings>

 

 

 

 

 

The following error may occur after encryption:

Configuration error: the provider rsaprotectedconfigurationprovider cannot be used for decryption. The error message returned by the provider is: the RSA key container cannot be opened.
If you want to encrypt the database connection string of Web. config, two methods are provided here.

The solution to this error is:
Win2003 platform:Run in DOS: aspnet_regiis-pa "netframeworkconfigurationkey" "nt authority/Network Service"

 Windows xp iis:Aspnet_regiis-pa "netframeworkconfigurationkey" "ASPnet"
If an error occurs, put the directory c:/Windows/Microsoft. NET/framework/v2.0.50727 in the path environment variable.
Then you can access the website successfully.
You can also use the command line to implement "rsaprotectedconfigurationprovider" encryption.

 Note:You can also register the RSA key container of the default rsaprotectedconfigurationprovider without running the aspnet_regiis-pa "netframeworkconfigurationkey" "nt authority/Network Service" command.
The method is as follows:
1) Create an exported RSA key container named key

Aspnet_regiis-PC "key"-exp

2) specify the key container before the information you want to encrypt, such:

<Configprotecteddata>

<Providers>

<Clear/>

<Add name = "keyprovider"

Type = "system. configuration. rsaprotectedconfigurationprovider, system. configuration, version = 2.0.0.0, culture = neutral, publickeytoken = b03f5f7f11d50a3a, processorarchitecture = msil"

Keycontainername = "key"

Usemachinecontainer = "true"/>

</Providers>

</Configprotecteddata>

<Connectionstrings>

<Add name = "sqlconnstring" connectionstring = "Data Source = yourip; initial catalog = test; user id = yourid; Password = yourpassword ;"

Providername = "system. Data. sqlclient"/>

</Connectionstrings>

Make sure that the xmlns attribute in configuration has the following values:

<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">

3) encrypt the configuration file

Aspnet_regiis-Arg "connectionstrings" "E:/project/test"-prov "keyprovider"

The parameters are: configuration section to be encrypted, physical path of the project directory, and secret key container name used for encryption.

Looking at the web. config file, you will find that the connectionstrings section has been encrypted, but you will find that the program can still access the database correctly when running the program.

In this case, you only need to run:

Aspnet_regiis-PDF "connectionstrings" "E:/project/test"

You can decrypt the Web. config file.

(Note: if there is still an error, it may be that you do not have sufficient permissions for the generated key file to go to C: /Documents and Settings/all users/Application Data/Microsoft/crypto/RSA/machinekeys directory,
Find the generated key file and grant it the read permission of the network service user. You can use the following command: the command is as follows: aspnet_regiis-pa "key" "nt authority/network service", you may need to restart IIS)

4) export the key container as an XML file

Aspnet_regiis-Px "key" "E:/key. xml"

This command only exports the public key, so it can only be used for encryption and cannot be decrypted later.

Aspnet_regiis-Px "key" "E:/keys. xml"-pri

The private key is exported together, so we need to use this.

5) Delete the key container

Aspnet_regiis-PZ "key"

After the program is deleted, an error occurs:

Analyzer error message: failed to use the provider "keyprovider" for decryption. The error message returned by the provider is: the RSA key container cannot be opened.

Likewise, it can be proved that the program cannot decrypt the connectionstrings section on any machine that does not have the correct key container Key installed, so it cannot run properly.

6) import the key. xml file

Aspnet_regiis-pi "key" "E:/keys. xml"

Then, run the program and you will find that it can be decrypted again. This proves that the encryption and decryption mechanism works properly.

Finally, let's talk about the security protection provided by this mechanism in what aspects:

It is not significant to encrypt the app. config of the winform program because the client can decrypt the configuration file by running aspnet_regiis-PDF to expose sensitive information.

For web. the significance of config encryption is limited. when the config file is accidentally leaked, it does not expose sensitive information at the same time. If a malicious attacker has obtained the permission to run the program on the server, it is the same as the app. like config, you can easily obtain plaintext by running aspnet_regiis-PDF.

In addition, you can use aspnet_regiis-pa "key" "nt authority/Network Service" to control access permissions to key containers of different users. Further security measures should be available, for example, some users cannot use aspnet_regiis-PDF to decrypt the configuration file even if they log on to the server.