C # Fundamentals:. Webconfig encryption under the net environment

When you deploy an ASP. NET project to a server, Web. config often replicates the past directly in the intranet environment. For an extranet environment, you need to encrypt the Web. config file.

. NET environment provides a total of 2 ways to encrypt functions, respectively, Dpapiprotectedconfigurationprovider and rsaprotectedconfigurationprovider providers.

The former can only be decrypted natively after encrypting the Web. config, and if the config file needs to be copied to an external host, it cannot be decrypted. The latter in the local encryption config file, can be everywhere key container, when the config file copied to the external host, the previously exported files can be imported, after import can be automatically decrypted.

Since it is often necessary to replicate the config file to an external host, the RSA protector is more suitable for the actual business scenario, and this article details the use steps of the RsaProtectedConfigurationProvider program.

1. Using the Rsaprovider provider, you need to first enter the. NET Framework runtime environment where you can configure environment variables or use CD directives.

CD C:\Windows\Microsoft.NET\Framework\v2.0.50727

2. You can then use Aspnet_regiis.exe to create an RSA key container. The key containers are both user-level and machine-level, and are generally used at the computer level because of the benefits of using a user-level key.

ASPNET_REGIIS-PC "MyKeys"-exp

3. After you create the key container, you also need to set access permissions for the key container, which grants the network SERVICE account access to the machine-level "MyKeys" RSA key container. An ASPX program on MSDN will show you the user logo for your ASP, but I will get an error when I actually execute the PA command.

Aspnet_regiis-pa "MyKeys" "NT authority\network SERVICE"

4. In the Web. config file, add the following configuration node, MyProvider as your protector name, optionally. KeyContainerName is the key container name set previously, and Usemachinecontainer is true to use a machine-level key, or false to use a user-level key.

This configuration section does not have to be placed directly under the Configure Configuration node like MSDN, which will cause an error, and it is recommended that you follow the encryption node.

   <configProtectedData>      <providers>          <add name= "MyProvider"                type= "System.Configuration.RsaProtectedConfigurationProvider,  System.Configuration, Version=2.0.0.0,                     culture=neutral, publickeytoken= b03f5f7f11d50a3a,                     processorarchitecture=msil "               keycontainername= "MyKeys"                 usemachinecontainer= "true"  />       </providers>  &Nbsp;</configprotecteddata> 

5. The following instruction encrypts the config file node under the specified path, and the sessionstate node can be encrypted if the SQL connection string for the session is also in the configuration file.

Aspnet_regiis-pef "ConnectionStrings" "D:\WebApp"-prov "MyProvider"

Aspnet_regiis-pef "System.web/sessionstate" "D:\WebApp"-prov "MyProvider"

The encrypted connectionstrings node looks like this and still has access to the ASP.

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

  <connectionstrings configprotectionprovider= "MyProvider" >    < Encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element"       xmlns= " Http://www.w3.org/2001/04/xmlenc# ">      <encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"  />      <keyinfo  xmlns= "http://www.w3.org/2000/09/xmldsig#" >        < encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" >           <encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"  />           <keyinfo xmlns= "http://www.w3.org/2000/09/ xmldsig# ">            <KeyName>Rsa  key</keyname>          </keyinfo>           <CipherData>             <ciphervalue>x3xobfbo/h9quevuv8a1egmm0nqubnhfuc/iv1e7ccmgairt9ogmicentk8vamgfhufpzwfu5uuhsio/ 6bivypeo5wowlj3h5/suqmrj6nsajonrnyhejta4oqb4xajxazwcf3huewr0mg4wdciuftzarirmxkggfbxewpskj5k=</ciphervalue >          </CipherData>         </EncryptedKey>      </KeyInfo>       <CipherData>        <CipherValue> suqfggjgfaon62yni2vm5sqymcf4yyaku9fwquvgclj1bfqixk9kis9ie0i0m2u4glbf+ y0xpharfcofjpxhdwhoacrnqsxsutqixqux67bycjeyamz5ja9ebqatqvkiiz/khgvfipxscg5hiw/ Ggqwaf3fesvesoasajz3jjk9mlkkwdd6lepgtccvjlnek0loeefznrngizffzwasyjh5ucf5lnxnxf/ibwtznsfifi2tv1f4sx9hkjeeryf5metu1raa/wqarmvn7dlxhpgconpnpxa1igltmaz/s1br/fso39skghrs+ohsdmbjri5zo4txxbk/ dd86gpzu9jxrvknvimzzw0v8amc2hcvnclpsmwwggah6pnhe0xkjv6yh77xcldvskibvnwmlo/4kjgkonxaskfboaegprzi8=</ ciphervalue>      </cipherdata>    </ Encrypteddata>  </connectionstrings>

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

If decryption is required, you can execute the following instruction Aspnet_regiis-pdf "connectionStrings" "D:\WebApp"

<connectionstrings><add name= "defaultconnection" connectionstring= "Data source= (LocalDb) \MSSQLLocalDB; attachdbfilename=| Datadirectory|\aspnet-webapp-20170622060005.mdf;initial catalog=aspnet-webapp-20170622060005;integrated Security =true "Providername=" System.Data.SqlClient "/></connectionstrings>

6. The key container is exported, and the key information is stored in the exported XML file, and the PRI represents the export of the public and private keys together.

Aspnet_regiis-px "MyKeys" "D:/mykeys.xml"-pri

7. With this XML file, it is equivalent to have a key container, the key container can be exported after the key container to delete, delete the instructions as follows.

Aspnet_regiis-pz "MyKeys"

8. After you delete the key container, if you do not decrypt the config file before, running the ASP will directly cause an error.

In my actual operation, if the Web. config file of a running ASP. NET application is encrypted, the key is deleted immediately after encryption, and the click-to-run (not debugging) is still accessible. This indicates that the RSA decryption operation is performed in memory, and access is not an error until the solution is rebuilt or debugged (the build operation is performed).

9. You can now copy the encrypted config file and the exported mykeys.xml together to the server, at this time the running site will be directly error, you need to execute the following import instructions.

Aspnet_regiis-pi "MyKeys" "D:/mykeys.xml"

After importing, the native access to the ASP. NET site will still find an error, prompting the open Provider. This pit eventually finds a workaround on the web, as shown in the following directive, which requires access to the key container for the application pool.

Aspnet_regiis-pa "MyKeys" "IIS apppool\myweb"-full

Since this entire process has ended, you can encapsulate the above directives into 2 batches, one for key maker bat and one for import bat, as shown below.

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

@echo ONCD C:\Windows\Microsoft.NET\Framework\v2.0.50727:: Set config address, config file under E:\test set configaddress= "E:\ Test ":: Create RSA key Container aspnet_regiis-pc" MyKeys "-EXP:: Set key container access rights ASPNET_REGIIS-PA" MyKeys "" NT authority\network SERVICE ":: Encrypt Aspnet_regiis-pef "connectionStrings" "D:\WebApp"-prov "MyProvider" Aspnet_regiis-pef "System.web/sessionstate" " D:\WebApp "-prov" MyProvider ":: Export aspnet_regiis-px" MyKeys "" D:/mykeys.xml "-pri:: Delete key container Aspnet_regiis-pz" MyKeys " Pause

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

@echo ONCD C:\Windows\Microsoft.NET\Framework\v2.0.50727:: Delete old key container Aspnet_regiis-pz "MyKeys":: Import new key Container aspnet_ Regiis-pi "MyKeys" "D:/mykeys.xml":: Set access permissions for application pools Aspnet_regiis-pa "MyKeys" "IIS apppool\myweb"-fullpause

650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" Border:none; "/>

After writing these 2 bat, I think of the previous decryption instruction Aspnet_regiis-pdf "connectionStrings" "D:\WebApp", it only needs to provide the node name and path. That is, if an attacker is able to execute a CMD command on the server being attacked, then he can decrypt the CONFIG. If there is a better way to solve this problem, you are welcome to instruct your message .

If Microsoft wrote this instruction parsing method, add a key parameter. Then even if the attacker is able to execute the cmd instruction, the config cannot be decrypted because the name of the key is not known.

C # Fundamentals:. Webconfig encryption under the net environment