.net - Leveraging MachineKey For Encrypting Own Data?

Sep 10, 2010

I have some data I want to encrypt in an ASP.NET MVC application to prevent users from tampering with it. I can use the Cryptography classes to do the actual encryption/decryption, no problem there. The main problem is figuring out where to store the encryption key and managing changes to it.

Since ASP.NET already maintains a machineKey for various things (ViewData encryption, etc), I was wondering if there were any ASP.NET functions which let me encrypt/decrypt my own data using the machineKey? This way I would not have to devise my own key management system.

View 2 Replies


Similar Messages:

Web Forms :: Machinekey With Explicit Validationkey?

Dec 2, 2010

I had "Invalid viewstate" error in my application; I found out it's caused by worker process recycling, so I generated a <machinekey> section with explicit validationkey. refer to this link,[URL] My quesitons are 1. I have the application installed on dev, qa, stg and prd servers. Should I use the machinekey with the same(or different) validationkey for all the servers? I think it shouldn't be matter because the servers are independent from each other.

2. Where should I put the <machinekey> section, machine.config or individual application level's web.config? There are multiple applications on the server.

If I put it at the application level, does that mean other applications still may have the same "Invalid viewstate" error?

If I put it at the application level, should I add the <machinekey> section for all the other applications using the same validationkey?

View 1 Replies

SQL Server :: Encrypting Data In Sql 2008

Jan 27, 2011

When I use symmetric key for encrypting data in sql server using encryptbykey() function on column of table

For Eg:I use following code

create symmetric key symkey
with algorithm=Triple_des
encryption by pasword='abc_1234!!!'
GO

after this I require to open the key and then used the function to encrypt data but...

how excatly the key generated and password is used internally for encrypting data.what role the algorithm playhere.I would like to know the proper mechanism of it.Bit confused abt keys concept.

View 2 Replies

Security :: Encrypting And Decrypting Data

Aug 24, 2010

I have a webApplication in which i want to encrypt the data using Public key and whan it reach to the destination webapplication it will decrypted there with corresponding private key . Is there is any way to creating this pair of key?

View 3 Replies

MachineKey Config Section Default Location?

Sep 21, 2010

Where do I find the machineKey config section for ASP.NET?

I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.

Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)

Having read this: [URL]

i was expecting to find something like this, somewhere:

<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>

Edit: the 1.1 docs seem fairly clear wrt default values: [URL] but the 4 docs are rather ambiguous [URL]

View 1 Replies

How To Modify MachineKey For Session State Server

Jul 20, 2010

I'm trying to implement a SessionState server to allow multiple web servers to share the same state. At first this will be the different dev machines, and later it'll be the different web servers in the web farm.

So far, I'm making good progress I think, but one of the requirements has me confused. In order to implement this, I need to make sure that all web servers are using the same machine key.

This is a sample MachineKey taken from my local dev machine:

[Code]....

If we have a Session State Server deployed locally, do I need to ensure that all other machines using this service (specifically, the other devs working on the same project, and then when we deploy to the web farm) have the exact same entry in their Machine.Config files?

Or do I have to somehow generate a new machine key that can apply to all the machines?

View 2 Replies

Security :: Membership, Password Hashes And MachineKey?

Jun 29, 2010

I have a question about the encryption key/keys the standard ASP.NET Membership provider uses for creating the password hashes.Although we haven't deployed this new system we are working on yet, we might switch servers in the future. So I thought it might be a good idea to specify the encryption key/keys in the web.config file to avoid any problems with mismatched hashes if we do switch servers.We use the standard ASP.NET Membership provider ("AspNetSqlMembershipProvider"), passwordFormat is set to "Hashed" and we use Forms authentication.The current web.config file initially did not have any machineKey element. I used the web application and had registered and thus created an account and the hash of my password is stored in one of the aspnet_* tables.Then I created a machineKey element in the web.config file, and specified validationKey, decryptionKey, validation and decryption attributes. I had expected not to be able to log in with my password anymore, but I was surprised that I could still do so with the existence of the new machineKey specifying new encryption keys.So - why can I still log in?Does the AspNetSqlMembershipProvider not use the encryption keys specified in machineKey?

View 7 Replies

Configuration :: Theoritical Problem When Encryptin Machinekey

Mar 6, 2010

I encrypt my machinekey with aspnet_regiis The problem is on this lines on web.config.

[Code]....

on the first line The 'configProtectionProvider' attribute is not declared on the second line The element 'machinekey' cannot contain child element 'http://www.w3.org/2001/04/xmlenc#Element:Encrypteddata' because the parent element content model is empty.I've read that it has something to do with intellisence and the application will work ok.

View 2 Replies

Security :: Encrypting / Decrypting Data At Runtime

Feb 18, 2010

I have a problem hopefully someone out there will steer me in the right direction.

I have a web application that I am going to put on a standalone cd - currently the data is "Safe" because the database is in in the app folder and the code is located in the codebehind.

My problem is i'm putting this on a CD as a standalone site, anyone can access the database, or find the XML....

Is there a way to generate an encrypted Database / XML Page, that is complied with the CD, that the program can decrypt and access with a embedded key?

View 1 Replies

C# - How To Retain Carriage Returns After Encrypting Data

Apr 9, 2010

I have this following setup, a textarea named with some data in it that may have carriage returns and another textarea that has style='display:none' in order to make it hidden as follows:

<textarea id="myTextarea" onBlur="encryptMyData()">

View 3 Replies

Setup Identical <machinekey /> Sections On Each Servers .config File?

Mar 2, 2010

We have a scenario using asp.net Forms Authentication in a web farm and need to setup identical <machinekey /> sections on each servers .config file.

Is it better to store the <machinekey /> section in machine.config rather then web.config? what's the advantages and disadvantages of each approach concerning security?

<machineKey validationKey="[keyhere]"
decryptionKey="[keyhere]" validation="SHA1" />

If its not secure enough, is there any way to encrypt <machinekey /> section like we encrypt our connectionsstring (with DPAPI)? (http://msdn.microsoft.com/en-us/library/ms998280.aspx)

View 1 Replies

Adding MachineKey To Web.config On Web-farm Sites / Padding Is Invalid And Cannot Be Removed

Oct 4, 2010

We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:

CryptographicException

Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

Can I generate a machineKey via a tool on the server, or do I need to write code to do this?

Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)

View 2 Replies

Encrypting Existing Passwords?

Aug 5, 2010

found while searching for help on my asp.net application.I have a small application with connected to a SQL database. As it was so small, and contained very little data of any importance, i had set it up with Clear passwords.Now i have been asked to expand the database considerably, and encrypted passwords are now required. I can easily modify the web.config so all future users are set up with encrypted passwords. But is there any way to change all existing users passwords to be stored encrypted?

View 10 Replies

Hashing Vs. Encrypting Passwords?

Feb 9, 2011

I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.

View 4 Replies

Security :: Password Encrypting?

Oct 12, 2010

I have been trying to encrypt password and found a code which is working with Access fine but as i have changed to SQL it is not decoding the encrypted text.. it amazes me..this SQl code is not letting me log on..

[Code]....

Whereas this OlebDB/Access is working fine

[Code]....

View 4 Replies

Configuration :: Encrypting Only ConnectionString?

Aug 24, 2010

i'm working on already built asp.net webapplication. in the web.config for connectionString section i have seen this

<add name="MyConnectionString" connectionString="3abcde12n3kd03kldwqaswe45tdw4fo23003ld3ddfot0lkdpe2d" providerName="System.Data.SqlClient"/>

can anyone tell me on how this encryption done? i know the standard way of encrypting using aspnetregiis.exe which replaces the entire connnectionString section of the web.config.

View 4 Replies

Encrypting/decrypting Cookies In .NET 2.0 (C#)

Apr 4, 2011

would please someone guide me how to encrypt and decrypt cookies in Asp.net 2.0.

View 1 Replies

Security :: Encrypting Section In Web.config?

May 3, 2010

I am wondering how to encrypt the below information in the "web.config" file of the "Account" folder (where we have the secured pages):

[Code]....

My issue here is that even after I compiled my application (using "aspnet_compiler -v /reports c:
eports"), the information inside the web.config file of the Account folder still not encrypted, and I want to publish my site to the customer server. So, since this server is a customer server, then they can access this "web.config" file and change our web-application security behaviour (correct me if I am wrong). Basically, I don't want the customer to even have access to our secured pages when they access our web-application using the web browser. How to solve this issue?

View 2 Replies

Encrypting Custom Sections Of A Web.config?

Aug 17, 2010

I used the article Creating a Flexible Configuration Section Handler to create a Flexible Configuration Section Handler in my application.

I also saw this article entitled Encrypting Custom Configuration Sections on the OdeToCode blog, on how to encrypt portions of a web.config file.

From the first article, we have this web.config code.

[code]...

View 2 Replies

Configuration :: Encrypting Sections Of The Web.config?

Aug 26, 2010

I am getting the error "An error occurred loading a configuration file: Access to the path is denied."

When I am in VS 2010, I can Encrypt as long as I run as administrator. Code as follows:

[Code]....

My problem is I need to run this in IIS. What is stopping me? It's a permission problem, but what permission. I am running IIS 7.5 on Windows 7. This is happening on my production server as well. Same error.

View 1 Replies

Security - Encrypting Web Configuration Sections In 3.5?

Mar 9, 2010

Is there any tools available to encrypt and decrypt Asp.net Web configuration sections like connection string ,etc.?

Can i get any add-on for this?If i use Enterprise Library i can do so,but without that is there any simple utility available?

View 1 Replies

Encrypting Foreign Keys From Database?

Nov 7, 2010

I just came across some code that seems to encrypt database keys prior to sending them to the client (WebBrowser, Silverlight, etc).

To illustrate, suppose you have a list of students to extra-curricular activities, and a relationship defined between them. Every time the data is written out to the ASPX page, the studentID and activityID is encrypted. Every time a write, or modify is made, this value is sent back to the server, decrypted, and saved to the database.

What could be the reasons to expose data this way? Is this a normal practice?

View 1 Replies

C# - Encrypting ConnectionStrings In A Web.config File?

Feb 4, 2011

Any section in my web.config file that I want to encrypt I run this command line util:

aspnet_regiis -pe "anySection" -app "/SampleApplication"

It all works just fine until I try encrypt my connectionStrings sections

I define (and I cannot change this) my connectionStrings section like this:

[code]....

Is there a way of doing this using the aspnet_regiis util? Doing it with code is not an option for me.

Also is there a way to run this untility without specifing the application (-app "/SampleApplication") instead giving the path to the web.config file?

View 2 Replies

Security :: Encrypting With An X509 Certificate.

Mar 14, 2011

I have created an x590 certificate that is in the file :
"C:UsersmartinAppDataRoamingMicrosoftSystemCertificatesMyCertificates"

I am trying to acces the public key to encrypt some plain text.

The system is throwing an "System.ArgumentOutOfRangeException" at the line

Dim certificate As X509Certificate2 = certificateCollection(0)

Can anyone tell me where I am going wrong or tell me another way to access the public key

.................................................
This is the complete code:
Imports System.Security
Imports System.Security.Cryptography.X509Certificates
Imports System.Security.Cryptography.X509Certificates.X509Certificate2
Imports System.Security.Cryptography.Pkcs
Partial Class encryptwithcertificare
Inherits System.Web.UI.Page
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim encoding As UTF8Encoding = New UTF8Encoding
Dim cleartext As String = Textbox1.Text
Dim myStore As X509Store = New X509Store()
myStore.Open(OpenFlags.ReadOnly)
Dim certificateCollection As X509Certificate2Collection = myStore.Certificates.Find(X509FindType.FindBySubjectName, "bobby", True)
Dim certificate As X509Certificate2 = certificateCollection(0)
Dim code() As Byte = EncryptwithCertificate(cleartext, certificate)
Label1.Text = Convert.ToBase64String(code)
End Sub
Shared Function EncryptwithCertificate(ByVal cleartext As Byte, ByVal certificate As X509Certificate2) As Byte()
Dim encoding As UTF8Encoding = New UTF8Encoding
Dim cleartextsbyte() As Byte = encoding.GetBytes(cleartext)
Dim contentinfo As ContentInfo = New ContentInfo(cleartextsbyte)
Dim envelopedCms As EnvelopedCms = New EnvelopedCms(contentinfo)
Dim recipient As CmsRecipient = New CmsRecipient(certificate)
envelopedCms.Encrypt(recipient)
Return envelopedCms.Encode()
End Function
End Class

View 3 Replies

Security :: Encrypting And Decrypting Password?

Apr 22, 2010

I want to encrypt the password entered by the user....how do i go about it?is there any built-in function for it or will i be required to write a code for it?

View 5 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved