June 30, 2008 at 6:47 am
Hi guys,
We have an ASP.Net application (using C#) where we specify the functional id and password in the config file. We've been told this is a security risk, and that we can't have the password in the file (which up till now I thought was the whole purpose of the config file.
So that being said, I don't know what else to do. I dont know anything about encryption, and was wondering how some of you guys might handle a situation like this.
June 30, 2008 at 6:56 am
What do you use this "functional id" and password to authenticate with? Is this something that can use windows authentication?
Are you able to store an encrypted or encoded password in the config file and decrypt it within your application? Are you allowed to encrypt the entire config file?
June 30, 2008 at 8:34 am
I imagine that would be okay, but have zero experience in encrypting anything and really don't know where to start. I've seen where the value passed looked excrypted, but don't know what SQL Server does on its end to unencrypt it.
Sorry, but I am totally ignorant on this.
June 30, 2008 at 9:26 am
You don't want SQL Server decrypting it. You want the front-end or data-connection layer decrypting it.
Think of it this way:
Someone steals a copy of the config file. They find that the passwords, etc., in it are encrypted. They send them to SQL Server, and it decrypts them, and makes the connection. Not good.
Someone steals a copy of the config file. They find the passwords, etc., in it are encrypted. They send them to SQL Server, and it asks them what they heck they are doing becuase it has no clue how to decrypt it. Security is still clean = Good.
The whole idea is that whatever code establishes the connection to SQL Server should be the same code as does the encryption/decryption. Then you just have to keep that code secure, and you're good to go.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 1, 2008 at 9:31 am
I have a C# web application and ran into the same predicament. Should I encrypt? I know nothing about encrypting/decrypting. And through some Google search, found some command already available that would encrypt just the connection string area of my web.config. I figured, 'Perfect!'. Then a co-worker told me, 'yeah, but if someone gets access to the server, there is nothing to keep them from running the same command to decrypt it.' The most simple way to do this is using a trusted connection:
|connectionStrings|
|add name="SQL" connectionString="Data Source=YourServerName;Initial Catalog=YourDatabaseName;Trusted_Connection=True"/|
|/connectionStrings|
(This editor does not like the greater than or less than characters even in the code tag so replace the pipes above with the corresponding greater than or less than symbol.)
When I'm in devlopment mode, I use a different connection string with the ID and password fully visible as it's only on my local machine.
In IIS on the production server, go to the properties for the web site, go to the Directory Security tab and make sure "Integrated Windows Authentication" is checked.
We configured this application almost 3 years ago so I'm not sure what other tweaks may have been done at that time.
Hope this helps.
Lisa
July 1, 2008 at 10:08 am
I've handled this problem before. I encrypted the passwords in the config file and then the application decrypted them before sending the result to SQL Server.
I also had no encryption experience. It wasn't that hard to do. I just followed the example code for Rijndael. Oh, wait, I still have that code. 🙂
OK, I looked at it. There were some gotchas, I guess it wasn't as easy as I remember it. I'll just post it. It's C# .NET 2.0.
I've pulled code from various places and stuffed it into new files, to which I had to give "txt" extensions to be allowed to attach them. One of those files is actually a console app. Rearrange into your framework as desired, adding library references as required.
I also removed the key and IV that I had initally generated. Nothing will work until you generate new ones and hard-code them in the indicated spots. Sorry I didn't keep the ad hoc code I used to generate them. (See help on Rijndael for info on generating random key and IV)
July 1, 2008 at 9:06 pm
Don't re-invent the wheel - the ASP.NET supports encrypting sections of the web.config using one of two methods (DPAPI or RSA), using the aspnet_iis.exe tool. Have a look here for pointers: http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
The process is fairly simple - I'd recommend RSA for portability as you can export the cert needed for decryption and import it into multiple servers to allow them all to decrypt the same web.config (eg a web farm). The decryption process is transparent to your app - you reference the encrypted config section as if it was unencrypted and the config handler does the decryption for you, supplying you with the plaintext values. An attacker would need a copy of the encrypted web.config plus a copy of the cert to decrypt it.
Regards,
Jacob
July 2, 2008 at 10:02 am
Yes, ASP.NET does that. I had to invent my own wheel, though, because I was writing a Windows service app, there was no ASP nor IIS involved. I forgot about those capabilities. Thanks for remembering the context of the original question!
As for the code I wrote, why did the password have to be encrypted when the configuration file is only read from the server by the server? Corporate policy, of course.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply