For Web. config encryption, and decryption password details

Source: Internet
Author: User
Tags decrypt connectionstrings

You can use protected configuration to encrypt sensitive information (including user names and passwords, database connection strings, and encryption keys) in a WEB application configuration file, such as a. config file. After the configuration information is encrypted, even if an attacker obtains access to the profile, it can make it difficult for an attacker to gain access to sensitive information to improve the security of the application. The database link string for an ASP. NET 2.0 application is encrypted: for example, an unencrypted configuration file may contain a section that specifies a connection string to connect to the database, as shown in the following example: <configuration> < Connectionstrings>
<add name= "SampleSqlServer" connectionstring= "Data source=localhost;integrated security=sspi;initial Catalog= Northwind; "/>
</connectionStrings>
</configuration>
There is a new security feature in ASP. Aspnet_regiis can be used to encrypt any configuration section in the Web. config file, which can be done manually by running the tool or by programming it. If you can access your Web server directly, you can run the following command line by running: CD%windows%/microsoft.net/framework/versionnumber aspnet_regiis-pe " ConnectionStrings "-app"/sampleapplication "–prov rsaprotectedconfigurationprovider-pd section
Decrypts the configuration section. This parameter takes the following optional parameters: · -app virtualpath Specifies that the level of the containing path should be decrypted. -location subpath Specifies the subdirectory to decrypt. -PKM specifies that the Machine.config, not the Web. config file, should be decrypted.

-pdf Section Webapplicationdirectory
Decrypts the specified configuration section of a Web. config file in a specified physical (non-virtual) directory.

-pe section
Encrypts the specified configuration section. This parameter takes the following optional modifiers: · -prov provider Specifies the cryptographic provider to use. -app virtualpath Specifies that the level of the containing path should be encrypted. -location subpath Specifies the subdirectory to encrypt. -PKM specifies that the Machine.config, not the Web. config file, should be encrypted.

-PEF Section Webapplicationdirectory
Encrypts the specified configuration section of a Web. config file in a specified physical (non-virtual) directory.
If you are using a virtual host such that you cannot access a physical server, you can still encrypt the connection string programmatically: 1 Configuration config = configuration.getwebconfiguration ( Request.applicationpath);
2 configurationsection section = Config. sections["ConnectionStrings"];
3 section. Sectioninformation.protectsection ("RsaProtectedConfigurationProvider");;
4 CONFIG. Update (), or CONFIG. Save ();


Encrypt the web. The specified section in config
private void ProtectSection (String sectionname)
{
Configuration config = webconfigurationmanager.openwebconfiguration (request.applicationpath);
ConfigurationSection section = Config. GetSection (sectionname);
if (section! = null &&!section. sectioninformation.isprotected)
{
Section. Sectioninformation.protectsection ("DataProtectionConfigurationProvider");
Config. Save ();
}
}

Decrypt the web. The specified section in config
private void Unprotectsection (String sectionname)
{
Configuration config = webconfigurationmanager.openwebconfiguration (request.applicationpath);
ConfigurationSection section = Config. GetSection (sectionname);
if (section! = null && section. sectioninformation.isprotected)
{
Section. Sectioninformation.unprotectsection ();
Config. Save ();
}
}


The configuration files that encrypt connection string values using protected configurations now do not display the connection strings in clear text, but instead store them in encrypted form, as shown in the following example:
<configuration>

<connectionstrings configprotectionprovider= "RsaProtectedConfigurationProvider" >
<encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element"
xmlns= "http://www.w3.org/2001/04/xmlenc#" >
<encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>
<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" >
<encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<keyname>rsa key</keyname>
</KeyInfo>
<CipherData>
<ciphervalue>rxo/zmmy3sr0iojof4ooxkfxwelvypt0riwp2mypr3fu+ r6bpfvsqb384pohivkyny7dm4lpgr2be9f7k6tbllvjfvnqu7p7d/yjnhzghwwkmqb0m0t0y8dowogkddxfxs1uxihtknc+2a7ugtgh6d
I3n572qxdfmgfqc7zbwne=
</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<ciphervalue>kmnkbuv9noid8puvdnly5i8r7baegncjkwygshw8clkjrxsm7zeirmay/ctaniu8rfk92kvkek83+ulqd+ Gq6pyco3em8dtm5kcylceija5xuaqv4kitbnbn6fbxswrgueyudwzym6eijl8dqrdb
11i+stkbllhpyyhbncasxdz5caqvug0obey2xmngq6g3mzr74j4ifxnyvrq7leva2sbr4lhe5m80cd5ykejktcpwzym99tmyo3kyjtmrw/ws/ xo3z9z1b1kohe5ok/yx1yv0+uk4/yuzo0bjk+rerg505ymfrvtxsj4ee418
zmfp4voaqzkrskhpie3zir7suvueypfzbcv65bkcult4etplgi8chu8bmbqkdwxonqeibey+teraee/sibcra8m/n9bpllrjkub+urigloaj+ xhym//fmcclacveklba6vkrcbqhejsny2f522yathcc1+wxuwqif7rsiphc0+
Mt1hb1szjd8dmpgtzuyzcl51dochy+hz4vlze=
</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>



////////////////////////
If it is your own host can do so, if not, each encryption to the key to tell each other, heavy workload, also inconvenient
In general, aspnet_regiis encrypted web. config is used, but cannot be accessed after copying to another machine because the key container is not ported together.
1. Create an RSA key container
ASPNET_REGIIS-PC "MyKeys"-exp
2. Grant the ASP. NET identity access to the RSA container
Aspnet_regiis-pa "MyKeys" "NT authority/network SERVICE"
3. Specify the cryptographic protection provider (Provider) in Web. config
<configuration>
<configProtectedData>
<add name= "MyProvider"
Type= "System.Cofiguration.RsaProtectedConfigurationProvider"
Keycontainername= "MyKeys"
Usemachinecontainer= "true"/>
</configProtectedData>
</configuration>
4. Encryption <connectionStrings> Section
Aspnet_regiis-pe "ConnectionStrings"-app "/myapp"-prov "MyProvider"

5. Export the RSA key container
Aspnet_regiis-px "MyKeys" "C:/keys.xml"-pri

6. Remove the RSA key container
Aspnet_regiis-pz "MyKeys"
7. Import the RSA key container from the XML
Aspnet_regiis-pi "MyKeys" "C:/keys.xml"
8. Grant the ASP. NET identity access to the RSA container
Aspnet_regiis-pa "MyKeys" "NT authority/network SERVICE"




Encrypting and decrypting a section in the Web. config file under. NET 2.0

ASPNET_REGIIS–PEF appSettings C:/inetpub/wwwroot/website

Aspnet_regiis–pdf appSettings C:/inetpub/wwwroot/website

However, I think that the encryption of the Web. config file should be encrypted separately for each machine, because exporting the Import key container is much more efficient than the individual encryption, and security is also higher.


. Use the Aspnet_regiis.exe tool to add decryption

Steps:
1. First generate the RSA container locally (for detailed operations on RSA, see Http://msdn.microsoft.com/zh-cn/library/yxw286t2 (vs.80). aspx)
ASPNET_REGIIS.EXE-PC "Jimmykeys"-exp
Note: Jimmykeys is the container name, can be changed casually


2. Export RSA to an XML file
Aspnet_regiis.exe-px "Jimmykeys" "C:/jimmykeys.xml"


3. Add a section to the Web. config, which is generally available before <appSettings>, as follows
<configProtectedData>
<providers>
<add name= "Jimmyrsaprovider"
Type= "System.configuration.rsaprotectedconfigurationprovider,system.configuration, Version=2.0.0.0, Culture= Neutral, publickeytoken=b03f5f7f11d50a3a "
Keycontainername= "Jimmykeys"
Usemachinecontainer= "true"/>

</providers>
</configProtectedData>
<appSettings>
...

4. Encrypt the Web. config
Aspnet_regiis.exe-pef "AppSettings" "C:/website"-prov "Jimmyrsaprovider"
Decrypt:
Aspnet_regiis.exe-pdf "AppSettings" "C:/website"


5. Deploy to a remote server (1 or more units)
A. Upload the Web site file to the server with Jimmykeys.xml (that is, the exported RSA container file) and import the RSA
Aspnet_regiis.exe-pi "Jimmykeys" "C:/jimmykeys.xml"


B. Confirm the default account used by ASPX logins on the server
Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent (). Name);
Just build an ASPX, put the last line of code into the inside, IIS5 environment output is the ASPNET,IIS6 environment output is the network SERVICE,IIS7 did not try to know the output is what the thing


C. Grant the Read permission to the RSA window to the default account in B
Aspnet_regiis.exe-pa "Jimmykeys" "NETWORK SERVICE"

By the way, the commands of these operations are organized into several batches
1. Native Bat (new RSA container, export container, encrypt web. config)
%windir%/microsoft.net/framework/v2.0.50727/aspnet_regiis.exe-pz "Jimmykeys"
%WINDIR%/MICROSOFT.NET/FRAMEWORK/V2.0.50727/ASPNET_REGIIS.EXE-PC "Jimmykeys"-exp
%windir%/microsoft.net/framework/v2.0.50727/aspnet_regiis.exe-px "Jimmykeys" "C:/jimmykeys.xml"
%windir%/microsoft.net/framework/v2.0.50727/aspnet_regiis.exe-pef "AppSettings" "C:/website"-prov " Jimmyrsaprovider "

2. Remote Server Bat (import RSA container, Authorization)
%windir%/microsoft.net/framework/v2.0.50727/aspnet_regiis.exe-pi "Jimmykeys" "C:/jimmykeys.xml"
%windir%/microsoft.net/framework/v2.0.50727/aspnet_regiis.exe-pa "Jimmykeys" "NETWORK SERVICE"


Before encryption:
<connectionStrings>
<add name= "ConnStr" connectionstring= "Data source=server;initial catalog=lib; User id=sa;password=*** "
Providername= "System.Data.SqlClient"/>
</connectionStrings>
After encryption:
<connectionstrings configprotectionprovider= "Jimmyrsaprovider" >
<encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element"
xmlns= "http://www.w3.org/2001/04/xmlenc#" >
<encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>
<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" >
<encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" >
<keyname>rsa key</keyname>
</KeyInfo>
<CipherData>

<ciphervalue>bresi2wd4x4cakh0puzhytyltmr3cp9jfee8yw03newgzcooevduxaceklesmyx8r/ Ti5nszxomy20pqzd1kvgelzz4rhkepe9lktawyknhqzmpfornjsdgtvs6jhrvvat9rdvgkbftvvlxuvpxgsenb0t6xjwq
/voiu7ktyfjk=</ciphervalue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>

<ciphervalue>c4hd+efjl//pv4eezt938awyhlypbut8lbnwf4y4c6tewwlnbtwgyxtxph6tnf8ne6s9h5c/awxy/3jecuned8ygoo+ rdhxw8nysd8vuc53+iuihw5tls/aoivy8k1yoflwgkffwptox4f4gmts+mamhkihq46p
h2vyjyprnsl8le2pgnjdojndegyq+wkn2iw968+qjutcibgjn6h6igyghymkyurgrzfo3iizu+ecwe2iqcp+s58eqrju3mxj2bqeuu9haky4= </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
Similarly, when this method is encrypted, the ASPX reads the node without any decryption, and the code does not have to make any modifications

Note: Not all nodes can be encrypted, and ASP. NET 2.0 only supports the encryption of some of the configuration sections of Web. config, and the data in the following configuration sections cannot be encrypted:
& #8226; <processModel>
& #8226; <runtime>
& #8226; <mscorlib>
& #8226; <startup>
& #8226; <system.runtime.remoting>
& #8226; <configProtectedData>
& #8226; <satelliteassemblies>
& #8226; <cryptographySettings>
& #8226; <cryptoNameMapping>
& #8226; <cryptoClasses>

In addition, other than appsettings and connectionstrings nodes, you can write this:
Aspnet_regiis.exe-pef "System.servicemodel/behaviors" "d:/website/cntvs/"

That is, <system.serviceModel> under the <behaviors> node encryption, this node is also applicable to code encryption, after several attempts, It appears that only nodes other than appsettings and connectionstrings can support level two nodes.

As in the following notation:
Aspnet_regiis.exe-pef "System.servicemodel/behaviors/endpointbehaviors" "D:/website/cntvs"
The runtime will error:
Configuration section "System.servicemodel/behaviors/endpointbehaviors" was not found.

For Web. config encryption, and decryption password details

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.