Easy encryption of ASP. NET 2.0 web program configuration information

I. Introduction

When you create an ASP. NET 2.0 APPLICATIONProgramDevelopers usually store sensitive configuration information in the web. config file. The most typical example is the database connection string, but other sensitive information contained in the web. config file also includes the SMTP server connection information and user credential data. Although ASP can be configured by default.. Net to deny all pairs with the extension. the HTTP request for config file resources. However, if a hacker can access the file system of your Web server. sensitive information in config can still be stolen. For example, you may accidentally allow anonymous ftp access to your website, so that a hacker can simply download your web. config file through FTP.

Fortunately, by allowing encryption of web. the part selected in the config file, such as the <connectionstrings> section, or some custom config sections used by your application, Asp. NET 2.0 helps ease this problem. The configuration handler can easily use the keystore or aspnet_regiis.exe (a command line program) to pre-encrypt. Once encrypted, Web. config can be set to avoid "eye-catching. Additionally, when you retrieve encrypted configuration settings from your ASP. NET page programmatically, ASP. NET automatically decrypts the encrypted part it reads. In short, once the configuration information is encrypted, you do not need to write any otherCodeOr take any further action to use the encrypted data.

In this article, we will discuss how to set the configuration to program-style encryption and decryption, and analyze the use of the authorization language aspnet_regiis.exe. Then, we will evaluate the encryption options provided by ASP. NET 2.0. In addition, we will briefly discuss how to encrypt the configuration information in ASP. NET version 1.x.

Ii. Prerequisites

Before we begin to explore how to encrypt ASP. NET 2.0 configuration information, remember the following:

1. All forms of encryption will contain a secret, which is used to encrypt and decrypt data. Symmetric encryptionAlgorithmThe same key is used to encrypt and decrypt a message, while asymmetric encryption algorithms use different keys for encryption and decryption. Regardless of the technology used, the most important thing is to check the security degree of the decryption key.

2. The Configuration Encryption technology provided by ASP. NET 2.0 is designed to prevent hacker intrusion that can retrieve your configuration files in some way. The idea is that if a hacker has a web. config file on his computer, he cannot crack the encrypted part. However, when an ASP. NET page on the web server requests information from an encrypted configuration file, the data must be decrypted before it can be used (and you do not need to write any code ). Therefore, if a hacker can query a configuration file and display its results.. NET web pages are uploaded to your system. Then, you can view the encrypted settings in plain text mode. (For details, refer to the example ASP.. NET page, which shows how to encrypt and decrypt the web. methods of each part of the config file. As you can see, an ASP. NET page can access (and display) The normal text form of the encrypted data)

3. encryption and decryption of configuration information requires a certain performance cost. Therefore, only the configuration that contains sensitive information is encrypted. For example, you may not need to encrypt the <compilation> or <authorization> Configuration section.

Iii. What information is encrypted

Before analyzing how to encrypt ASP. NET 2.0 configuration information, Let's first look at what configuration information can be encrypted. Using the libraries provided by. NET Framework 2.0, developers can encrypt the vast majority of configuration parts in the web. config or machine. config file. These configurations are some XML elements used as the child nodes of the <configuration> or <system. Web> element. For example, the following sample Web. config file contains three configuration settings, which are explicitly defined:

<Connectionstrings>, <compilation>, and <authentication>.
<? XML version = "1.0"?>
<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">
<Connectionstrings>
<Add name = "membershipconnectionstring" connectionstring = "connectionstring"/>
</Connectionstrings>
<System. Web>
<Compilation DEBUG = "true"/>
<Authentication mode = "forms"/>
</System. Web>
In this section, each user can be selectively encrypted, and implemented through programming or aspnet_regiis.exe (a command line tool. When encrypted, the encrypted text is directly stored in the configuration file. For example, if we want to encrypt the <connectionstrings> section above, the result web. config file may look as follows: (Note: Due to space limitations, we omit a large part of <ciphervalue>)

<? XML version = "1.0"?>
<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">
<Connectionstrings configprotectionprovider = "dataprotectionconfigurationprovider">
<Encrypteddata>
<Cipherdata>
<Ciphervalue> aqaaancmnd8bfderjhoawe/Cl + sbaaaed... gicalq ==</ciphervalue>
</Cipherdata>
</Encrypteddata>
</Connectionstrings>
<System. Web>
<Compilation DEBUG = "true"/>
<Authentication mode = "forms"/>
</System. Web>
In addition, there are some configurations that you cannot use this technology to encrypt:

· <Processmodel>
· <Runtime>
· <Mscorlib>
· <Startup>
· <System. runtime. remoting>
· <Configprotecteddata>
· <Satelliteassemblies>
· <Cryptographysettings>
· <Cryptonamemapping>
· <Cryptoclasses>

To Encrypt these configurations, you must encrypt these values and store them in the registry. The aspnet_setreg.exe command line tool can help you implement this process. We will discuss this tool later in this article.

[Tip] the difference between web. config and machine. config:

Web. the config file specifies the configuration settings for a specific web application and is located in the root directory of the application. the config file specifies the configuration settings for all sites located on the Web server, and is located at $ windowsdir $ \ Microsoft. net \ framework \ version \ config directory.

Iv. Encryption options

Developers can use ASP. NET 2.0 to provide program models to protect configuration section information, which allows any implementation to be seamlessly inserted into this API .. Net Framework 2.0 provides two built-in providers to protect configuration section information:

· Windows Data Protection API (dpapi) Provider (dataprotectionconfigurationprovider): This provider uses Windows built-in Cryptography technology to encrypt and decrypt the configuration section. By default, this provider uses the local key. You can also use user keys, but this requires some customization.

· RSA-protected configuration provider (rsaprotectedconfigurationprovider): uses RSA public key encryption to encrypt and decrypt the configuration section. To use this provider, you need to create a key container that stores the public key and private key used for encryption and decryption configuration information. You can use RSA in a multi-server scenario, as long as you create an output key container.
Of course, if necessary, you can also create your own protection settings provider.

In this article, we only discuss how to use a machine-level key by using the dpapi provider. So far, this is the simplest method because it does not request to create any secret or key container. Of course, the negative side is that an encrypted configuration file can only be used on the web server that implements encryption first. Moreover, use the Machine Key to decrypt the encrypted text from any website on the Web server.

5. Encrypted configuration in programming mode

The system. configuration. sectioninformation class abstracts the description of a configuration section. To encrypt a configuration section, you only need to simply use the protectsection (provider) method of the sectioninformation class to pass the name of the provider you want to use for encryption. To access the web of your application. you can use the webconfigurationmanager class (in the system. web. configuration namespace) to reference your web. config file, and then use its getsection (sectionname) method to return a configurationsection instance. Finally, you can obtain a sectioninformation object through the sectioninformation attribute of the configurationsection instance.

Below, we use a simple code example to illustrate the problem:

Privatevoid protectsection (string sectionname, string provider)
{
Configuration Config = webconfigurationmanager.
Openwebconfiguration (request. applicationpath );
Configurationsection section = config. getsection (sectionname );
If (section! = NULL &&! Section. sectioninformation. isprotected)
{
Section. sectioninformation. protectsection (provider );
Config. Save ();
}
}
Private void unprotectsection (string sectionname ){
Configuration Config = webconfigurationmanager. openwebconfiguration (request. applicationpath );
Configurationsection section = config. getsectio N (sectionname );
If (section! = NULL & section. sectioninformation. isprotected)
{
Section. sectioninformation. unprotectsection ();
Config. Save ();
}
You can. NET page calls this protectsection (sectionname, provider) method, the corresponding parameter is a node name (such as connectionstrings) and a provider (such as dataprotectionconfigurationprovider), and it opens the web. config File, reference this section, call the protectsection (provider) method of the sectioninformation object, and save the configuration changes.

On the other hand, the unprotectsection (provider) method decrypts a specific configuration section. Here, you only need to pass in the section to be decrypted-we do not need to bother with the provider, because the information has been stored in the tag of the Section with encrypted (that is, in the <connectionstrings> section in the preceding example, after being encrypted, it contains the provider: <connectionstringsconfigprotectionprovider = "dataprotectionconfigurationprovider"> ).

Remember, once the data is encrypted. NET page to read it (that is, from a sqldatasource control or programmatically through configurationmanager. connectionstrings [connstringname]. connectionstring reads the connection string information), Asp. net will automatically decrypt the connection string and return normal text values. In other words, after encryption is implemented, you do not need to change your code at all. Pretty cool, right?

Sample ASP. NET 2.0 website, you will find a sample page that shows the web of the site. in the config file, there is a multi-line Textbox, and corresponding web control buttons are provided to encrypt each part of the configuration file. The protectsection () and unprotectsection () methods discussed above are also used in this example.

6. Use the command line tool aspnet_regiis.exe

You can also use the aspnet_regiis.exe command line tool to encrypt and decrypt the Web. config file configuration section. You can find this tool in the "% windowsdir % \ Microsoft. NET \ framework \ version" directory. To encrypt a section in the web. config file, you can use the dpapi machine key in this command line tool, as shown below:

Common form of encrypting the Web. config file of a specific website:

Aspnet_regiis.exe-Arg section physical_directory-prov provider
Or:

Aspnet_regiis.exe-PE section-app virtual_directory-prov provider
Encrypt the specific instance of the web. config file of a specific website:

Aspnet_regiis.exe-Arg "connectionstrings" "C: \ Inetpub \ wwwroot \ mysite"-prov "dataprotectionconfigurationprovider"
Or:

Aspnet_regiis.exe-pe "connectionstrings"-app "/mysite"-prov "dataprotectionconfigurationprovider"
Common form of decrypting the Web. config file of a specific website:

Aspnet_regiis.exe-PDF section physical_directory
Or:

Aspnet_regiis.exe-Pd section-app virtual_directory
Decrypts a specific instance of the web. config file of a specific website:

Aspnet_regiis.exe-PDF "connectionstrings" "C: \ Inetpub \ wwwroot \ mysite"
Or:

You can also specify that aspnet_regiis.exe is used to encrypt/decrypt the machine. config file.

[Prompt] encrypt configuration settings in ASP. NET version 1.x

To protect configuration settings in ASP. NET version 1.x, developers need to encrypt and store sensitive settings in the web server registry, and store them in a "strong" key mode. The configuration file does not store encrypted content (such as ASP. NET 2.0), but only contains a reference to the registry key that stores the encrypted value. For example:

<Identity impersonate = "true"
Username = "Registry: HKLM \ SOFTWARE \ my_secure_app \ identity \ aspnet_setreg, username"
Password = "Registry: HKLM \ SOFTWARE \ my_secure_app \ identity \ aspnet_setreg, password"/>
Microsoft released the aspnet_setreg.exe command line tool for developers to encrypt sensitive configuration information and move it to a "strong" Registry portal. Unfortunately, this tool only works for specific configuration settings; in contrast, ASP. NET 2.0 allows encryption of any configuration section.

For more information about using aspnet_setreg.exe in an ASP. NET 1.xapplication, see kb #32990 in msdn. Unfortunately, this command line program can only encrypt predefined sections in configuration settings, and does not allow you to encrypt your own database connection strings and other sensitive information.

VII. Conclusion

In this article, we learned how to use different encryption methods of ASP. NET to protect configuration section information. We also discussed how to use programming technology and aspnet_regiis.exe to encrypt the configuration section in Web. config respectively. Protection of your sensitive configuration settings helps ensure that your site is more difficult to be attacked by hackers-by making it more difficult to find sensitive configuration settings. Currently, ASP. NET 2.0 provides relatively easy encryption and decryption technologies. Developers have no reason not to use this method to protect your sensitive configuration settings.