Web. config encryption and decryption

Scott Mitchell's ASP. NET 2.0 data tutorial 73: protects connection strings and other settings Introduction: The settings of ASP. NET applications are usually stored in an XML file named Web. config. We have modified the Web several times before the tutorial. config file. for example, in chapter 1, when we create a data set named Northwind, the database connection string information is automatically added to the Web. the <connectionStrings> node of the config file. later, in chapter 3rd, we updated the Web manually. config File, added a <pages> element for all ASP. NET page uses DataWebControls topic. Because Web. the config file contains sensitive information, such as the connection string. therefore, make sure that the Web. the security of the config file content is very important. unauthorized visitors should hide this sensitive information. by default. any HTTP request of the file with the config suffix is composed of ASP. NET engine, it will return the "This type of page is not served" information, as shown in 1. this means that you cannot enter 'HTTP: // www.yourserver.com/web.config' in the address bar of your browser to access your web.configfile. Figure 1: Accessing Web. config through a browser will return "This type of page is not served" Information But what if an attacker finds other methods to access the content of your Web. config file? What changes will he make? How can we protect the information in the Web. config file? Fortunately, the vast majority of nodes in the Web. config file do not contain sensitive information. If attackers know the name of the default topic used on your ASP. NET page, what will happen? Some nodes in the Web. config file contain sensitive information, such as connection strings, user names, passwords, server names, and encryption keys. We can find these information on the following nodes: . <Deleetask> . <ConnectionStrings> . <Identity> . <SessionState> In this article, we will examine technologies that protect this sensitive information. as we will see ,.. NET Framework 2.0 contains a protection configuration system, which can be used to easily encrypt and decrypt the selected configuration nodes. Note: At the end of this article, we will see that Microsoft. NET application connection to the database. in addition to encrypting the connection string, we can also connect to a database in "Secure Mode" to make your system more powerful. Step 1: evaluate the protection configuration options of ASP. NET 2.0 ASP. NET 2.0 contains a Protection Configuration System to encrypt and decrypt the configuration information. these methods are included in.. NET Framework, which can be used to program encryption and decryption of configuration information. the protection configuration system uses the provider model mode. it allows developers to choose which encryption to execute. . NET Framework contains two types of protected configuration providers: . RSAProtectedConfigurationProvider: Asymmetric RSA algorithm used for encryption and decryption (RSA algorithm) . DPAPIProtectedConfigurationProvider: Windows Data Protection API (DPAPI) is used for encryption and decryption) Because the protection configuration system runs the provider design mode, we can create our own protected configuration provider and apply it to our own program. for detailed procedures, see the article Implementing a Protected Configuration Provider (Http://msdn2.microsoft.com/en-us/library/wfc2t3az (VS.80). aspx) RSA providers and DPAPI providers use keys for encryption and decryption. These keys can be stored at the Machine level) and "user-level ). in this case, the machine-level keys are ideal: Each web application runs on its own proprietary server, or multiple applications on a server share the same encrypted information. user-level keys are ideal for security in the shared server environment. at this time, other programs on the same server cannot decrypt your encrypted configuration information. This tutorial uses DPAPI provider and machine-level keys. specifically, we will. the <connectionStrings> node in the config file is encrypted. for more information about RSA providers and user-level keys, refer to the extended reading materials in the end of this article. Note: RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider providers are respectively grouped into RsaProtectedConfigurationProvider and DataProtectionConfigurationProvider in the machine. config file. When we encrypt or decrypt the configuration information, we need to provide the corresponding provider name (RsaProtectedConfigurationProvider or DataProtectionConfigurationProvider) instead of the actual type name (RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider ). you can go to $ WINDOWS $ Microsoft. in the NETFrameworkversionCONFIG folder, find machine. config file. Step 2: Configure nodes through programming encryption and decryption With a certain provider, we only need a few lines of code to encrypt or decrypt a configuration node. these codes only need to reference the corresponding configuration node, call its ProtectSection or UnprotectSection method, and then call the Save Method for execution. in addition ,. NET Framework contains a useful command line function for encryption and decryption. We will examine this function in step 1. To facilitate the demonstration, we need to create an ASP. NET page containing buttons to encrypt and decrypt the <connectionStrings> node of the Web. config file. Open EncryptingConfigSections in the AdvancedDAL folder. on the aspx page, drag a TextBox Control to the page and set its ID to WebConfigContents. The TextMode attribute is MultiLine. The Width and Rows attributes are 95% and 15, respectively. the TextBox Control is used to display the Web. config file to check whether the content is encrypted. of course, in a real program, we cannot. the contents of the config file are displayed. Add two Button controls under the TextBox Control, whose IDs are EncryptConnStrings and DecryptConnStrings. Set the Text attributes to Encrypt Connection Strings and Decrypt Connection Strings ". At this time, your interface looks similar to the following: Figure 2: Add a TextBox Control and two Button controls on the page Next, when logging on to the page for the first time, we need to display the content of the Web. config file in the TextBox Control with the ID WebConfigContents. Add the following code to the background class of the Page. This Code adds a method named DisplayWebConfig. In the Page_Load event processor, this method is called when Page. IsPostBack is false: Protected void Page_Load (object sender, EventArgs e) { // On the first page visit, call DisplayWebConfig method If (! Page. IsPostBack) DisplayWebConfig (); } Private void DisplayWebConfig () { // Reads in the contents of Web. config and displays them in the TextBox StreamReader webConfigStream = File. OpenText (Path. Combine (Request. PhysicalApplicationPath, "Web. config ")); String configContents = webConfigStream. ReadToEnd (); WebConfigStream. Close (); WebConfigContents. Text = configContents; } This DisplayWebConfig method calls the File class to open the Web of the application. config file; call the StreamReader class to read the content into a string; then call the Path class to obtain the Web. the physical address of the config file. these three classes are located in System. i/O namespace. so we should add using System at the top of the background class. IO declaration, or add "System. IO. "prefix. Next, we need to add an event processor for the Click events of the two buttons, and use the machine-level keys in a DPAPI provider to encrypt and decrypt the <connectionStrings> node. in the designer, double-Click the two buttons to add the Click Event processor and add the following code: Protected void EncryptConnStrings_Click (object sender, EventArgs e) { // Get configuration information about Web. config Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath ); // Lets work with the <connectionStrings> section ConfigurationSection connectionStrings = config. GetSection ("connectionStrings "); If (connectionStrings! = Null) // Only encrypt the section if it is not already protected If (! ConnectionStrings. SectionInformation. IsProtected) { // Encrypt the <connectionStrings> section using // DataProtectionConfigurationProvider ConnectionStrings. SectionInformation. ProtectSection