Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Professional
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old March 4th, 2007, 02:32 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default Encrypt single column, where to store key

I'd like to encrypt a single column in a db table. I've got information on how to write the VB to encrypt and decrypt the table info before/after write/read. What I can't figure out is where to store the key for the encrypt/decrypt. Some alts:

1) in code - no real security...

2) in another DB...well, ok, behind an encrypted web.config config string, maybe, but a lot of overhead...

3) in web.config as a key/value pair (or in a "phony" config string)...this seems like it would be the best solution. I can see the different elements of this, but I'm not sure it will really work because I don't see how to decrypt the key/value pairs in the encrypted section of a web.config...

Any suggestions on how to do this would be appreciated, particularly alt 3, if it's possible.

Thanks!
  #2 (permalink)  
Old March 4th, 2007, 03:55 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Why is in code no real security? I personaly think, out of the 3 options listed this would be the best.

Placing the key in code compilies the Key into your sites DLL and, outside of decompiling the dll, there is no real way to get at the key.

If, for example, the security of the web server was compromised, and someone stumbled upon your web directory, they could read the key directly from your config file ><

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #3 (permalink)  
Old March 4th, 2007, 07:13 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the input. I'm a very much newbie in this area so I'm doing a lot of this on incomplete models of how it all works and what the risks are.

Having said that, my thinking was that:

1) for the "code" solution, the weakness is that decompiling dlls is not "that" difficult (though it's all relative)

3) that -IF- the key/value pair in web.config could be encrypted, and -IF- the key value pair could be decrypted in some automagic way, like configuration string are, then that would be doubly-safe...once behind the user login, and once behind the web.config encryption. Although I see a hole in the latter logic, which is that if the evil-doer can get access to the dll's, the may be able to get access to the user/account/identity that encrypted the web.config, and simply decrypt it.

I think this is main problem I'm running into in this space. I'm not understanding how to correlate the identity that installs ASPNET and the identity that encrpyts the web.config file. I guess I need to ask a question about that in particular.
  #4 (permalink)  
Old March 4th, 2007, 08:00 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

1. if an evil doer is able to get ahold of your DLL they will be able to access your config file.
2. MD5 and SHA1 are one way encryptions, ala, you can't decrypt them. (You could use Base64, but it is trivial to change a base64 string back into the original string)
3. In the case of the DLL, while it is trivial to decomplie .NET dlls, you could use obfuscation (dotfuscator) to jumble your source code so that if decompilation is possible, your obfuscation may still be in place.
4. While it is possible to encrypt data that is relative to your application (connection strings, other keys, etc) you can't encrypt the entire file as the run time will not know what to do with it. (although there may be a way around this that I am unaware of)

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #5 (permalink)  
Old March 4th, 2007, 09:10 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm wondering if this below ("REFERENCE A") means that the encrypted <appsetting> key/value pairs are automagically decrypted and available, just like the config strings.

Guess I'll have to try it....

However, even if so, for this to be more effective than the key in the DLL's, it would mean that the evil doer who got to the DLL's would not be able to decrypt the web.config...

But that gets into the question of the relationship between the user who operates the aspnet_iisreg encrypt function and the "user" under which ASPNET is operating. And THAT is a central point of non-understanding for me, which I raise at this post...

http://p2p.wrox.com/topic.asp?TOPIC_ID=57158

--------------------------------------------
("REFERENCE A")

http://msdn2.microsoft.com/en-us/library/dtkwfdky.aspx

Accessing Decrypted Configuration Settings

ASP.NET automatically decrypts the contents of the Web.config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings for use by other ASP.NET features or to access the values in your code. However, you can follow these steps, if you want to view the decrypted settings.
  #6 (permalink)  
Old March 4th, 2007, 10:00 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

it depends.

The aspnet_wp.exe process (which executes ASP.NET files) will run under the account defined in the Machine.config file (normally this is SYSTEM)

The account that requests asp files from IIS, depends on your IIS settings. It can be IWAM_MACHINENAME, ASPNET, NETWORK SERVICE, or if you are using windows authentication it will be that user.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
  #7 (permalink)  
Old March 4th, 2007, 11:02 PM
Authorized User
Points: 514, Level: 8
Points: 514, Level: 8 Points: 514, Level: 8 Points: 514, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2006
Location: , , .
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks for the input. I had a conversation with an associate who went through similar decision process and he said put the key in the code, it will be very hard to find. So, that's two highly qualified votes for that options...it gets the nod. The other alt of hiding the key in web.config is not needed and so, while interesting, falls off the attention list...(Whap! That's it hitting the floor!)

Thanks much for your help on this. Much improved understanding of this area.
  #8 (permalink)  
Old March 4th, 2007, 11:09 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Glad you got it all sorted out, glad to be of service! ^^

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSRS-Repeat single Column krishthili Reporting Services 0 August 22nd, 2008 02:11 AM
store a single line of text from a file....how???? danielnixon General .NET 2 May 1st, 2008 12:09 PM
how i encrypt password and store it into database? qiux General .NET 2 March 9th, 2008 10:26 PM
How to store single value in variable? sacred21 Classic ASP Basics 1 December 29th, 2004 05:25 AM
About Column Encrypt jabby SQL Server 2000 2 November 30th, 2004 11:57 AM



All times are GMT -4. The time now is 02:38 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.