Managing Configuration Data Programmatically in ASP.NET 2.0
page 3 of 6
by SANJIT SIL
Feedback
Average Rating: 
Views (Total / Last 10 Days): 34566/ 91

Using Encryption

Encrypting an entire section of a configuration file is a simple task with the .NET 2.0 configuration API. There are many configuration areas where sensitive and secret information may appear; for example, we can put database usernames and passwords in the <connectionStrings>, when we need the runtime to impersonate a fixed identity we often keep a username and password in the <identity> section. Whenever secrets like these appear, we should consider encrypting the section instead of leaving the secrets and sensitive information in plain text.

It should be noted that the following sections can not be encrypted using protected configuration:

<processModel>

<runtime>

<mscorlib>

<startup>

<system.runtime.remoting>

<configProtectedData>

<satelliteassemblies>

<cryptographySettings>

<cryptoNameMapping>

<cryptoClasses>

We have to use the Aspnet_setreg.exe tool if we want to encrypt the abovementioned section. This tool we can find under the ASP.NET installation path. It is really easy to protect (encrypt) and unprotect (decrypt) an entire configuration section. We do not need to decrypt a section in order to read configuration settings from the section. The runtime will read the encrypted data and perform the decryption necessary for our application to read the plain text values. In the following code listing we will see how we can encrypt a section data and decrypt the same using WebConfigurationManager - related classes.

Listing 4

<appSettings>
  <add key="Confidentialkey" value="sanjit9999900000000" />
</appSettings> 

To illustrate the encrypt and decrypt data in section two buttons namely btnEncrypt and btnDecrypt are added in a test page:

Listing 5

protected void  btnEncrypt_Click(object sender, EventArgs e)
{
        Encrypt("appSettings",
        "DataProtectionConfigurationProvider");
 
}
protected void  btnDecrypt_Click(object sender, EventArgs e)
{
        Decrypt("appSettings");
}
 
 
private void Encrypt(string sectionName,
                                   string provider)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);
 
    ConfigurationSection section =
                 config.GetSection(sectionName);
 
    if (section != null &&
              !section.SectionInformation.IsProtected)
    {
        section.SectionInformation.ProtectSection(provider);
        config.Save();
    }
}
 
private void Decrypt(string sectionName)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);
 
    ConfigurationSection section =
              config.GetSection(sectionName);
 
    if (section != null &&
          section.SectionInformation.IsProtected)
    {
        section.SectionInformation.UnprotectSection();
        config.Save();
    }
}

So there is two buttons which are showing how to encrypt and decrypt section data on fly.

In the following code listing we can see how the application setting data looks like after encryption.

Listing 6

<appSettings configProtectionProvider="DataProtectionConfigurationProvider"> 
<EncryptedData>
<CipherData> 
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA73ohmg84YUKbVjbcXs6jCQQAAAACAAAAAAADZ
gAAqAAAABAAAAD6QbBeUN2Ri0Rjc+jxzF/bAAAAAASAAACgAAAAEAAAAAKUxQ1g3ZGpRK0PVCmG717AAAA
Aj7x96pMed9vhi7reOt765j6u/0rxcA3GW8XWT8M5ejtW9zuNMI4K0Hx+2IU/1Q9ZY1tSn+nv1WWCUsAr2
w0be1CCY5aWBFe/QQssnpUTrRVAPa+W7VyTQ+HJDWiH1NKuu63OLpmEqBCXe4EUJC42UaGHUV5bCKYaSgM
XeP+QKjR46AkOLmMod8SxrA2moOvIbIRIduufv0d5eRKj0AgSFLtOPECj7NeRfXce/FqLelQno0ZSSQ0xd
yGnq07O6YbHFAAAACPjEY/EbhvBAwnuR/yG/2p7In1w</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>

Listing 7

<connectionStrings>
    <add name="pubs" 
      connectionString="localhost;integrated security=true;database=pubs;" />
  </connectionStrings>

The above code listing is showing connectionStrings related data before encryption.

In the following code listing we can see how connectionStrings related data looks like after encryption. We can notice that the configuration API has added some additional information and the section contains a cipher Value instead of plain text connection strings

Listing 8

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA73ohmg84YUKbVjbcXs6jCQQAAAACAAAAAAADZ
gAAqAAAABAAAAAwxh6BaZAyLKa8vBjTomZkAAAAAASAAACgAAAAEAAAAFRvsDBGI7d90o/cWOUoGPAQAQA
AeCkgDXGISNyrSJfVCWz+t7WU9lf1gkupFRFJYfebeEIzjfTHQ/MC6SD75t0qgrE89LbHpDgstfMxpxUSn
QZ1ep9V5ZmoLOwf+DyBeIlsIb5hw4k8MQwORuSXABtO5xfDTJEd/kaFtIFnzfAjx/nbGXx2HNu5YzXkQ7V
5BaK44Jd3R44jTl8dqMcWLZsUdKj4dy/PiXLr+qCfpkKUeGZKnSAPwjoFZ8a6BKs0rAhNWl6k6Pev+/tuL
cyOlYZhJ7CXLgKGq4dEM4e8bYs7EwJMvKR/GbHmhkoFSQKu1orQI/Sv6c0Anyggy/riaRRb6N2nksa2mO4
OMdZfI5z/uh5HA0JxZSQ+P7G8BeuGKoPfiL0UAAAAVZyDYYrci5shlEyvRHo0IIRxMtI=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>
 

It should be noted that we cannot tell anything about the encrypted data, including the number of settings, the key names of settings, or their data types.


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2018 ASPAlliance.com  |  Page Processed at 2018-11-14 9:06:38 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search