.net - Leveraging MachineKey For Encrypting Own Data?
Sep 10, 2010
I have some data I want to encrypt in an ASP.NET MVC application to prevent users from tampering with it. I can use the Cryptography classes to do the actual encryption/decryption, no problem there. The main problem is figuring out where to store the encryption key and managing changes to it.
Since ASP.NET already maintains a machineKey for various things (ViewData encryption, etc), I was wondering if there were any ASP.NET functions which let me encrypt/decrypt my own data using the machineKey? This way I would not have to devise my own key management system.
View 2 Replies
Similar Messages:
Dec 2, 2010
I had "Invalid viewstate" error in my application; I found out it's caused by worker process recycling, so I generated a <machinekey> section with explicit validationkey. refer to this link,[URL] My quesitons are 1. I have the application installed on dev, qa, stg and prd servers. Should I use the machinekey with the same(or different) validationkey for all the servers? I think it shouldn't be matter because the servers are independent from each other.
2. Where should I put the <machinekey> section, machine.config or individual application level's web.config? There are multiple applications on the server.
If I put it at the application level, does that mean other applications still may have the same "Invalid viewstate" error?
If I put it at the application level, should I add the <machinekey> section for all the other applications using the same validationkey?
View 1 Replies
Jan 27, 2011
When I use symmetric key for encrypting data in sql server using encryptbykey() function on column of table
For Eg:I use following code
create symmetric key symkey
with algorithm=Triple_des
encryption by pasword='abc_1234!!!'
GO
after this I require to open the key and then used the function to encrypt data but...
how excatly the key generated and password is used internally for encrypting data.what role the algorithm playhere.I would like to know the proper mechanism of it.Bit confused abt keys concept.
View 2 Replies
Aug 24, 2010
I have a webApplication in which i want to encrypt the data using Public key and whan it reach to the destination webapplication it will decrypted there with corresponding private key . Is there is any way to creating this pair of key?
View 3 Replies
Sep 21, 2010
Where do I find the machineKey config section for ASP.NET?
I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.
Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)
Having read this: [URL]
i was expecting to find something like this, somewhere:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>
Edit: the 1.1 docs seem fairly clear wrt default values: [URL] but the 4 docs are rather ambiguous [URL]
View 1 Replies
Jul 20, 2010
I'm trying to implement a SessionState server to allow multiple web servers to share the same state. At first this will be the different dev machines, and later it'll be the different web servers in the web farm.
So far, I'm making good progress I think, but one of the requirements has me confused. In order to implement this, I need to make sure that all web servers are using the same machine key.
This is a sample MachineKey taken from my local dev machine:
[Code]....
If we have a Session State Server deployed locally, do I need to ensure that all other machines using this service (specifically, the other devs working on the same project, and then when we deploy to the web farm) have the exact same entry in their Machine.Config files?
Or do I have to somehow generate a new machine key that can apply to all the machines?
View 2 Replies
Jun 29, 2010
I have a question about the encryption key/keys the standard ASP.NET Membership provider uses for creating the password hashes.Although we haven't deployed this new system we are working on yet, we might switch servers in the future. So I thought it might be a good idea to specify the encryption key/keys in the web.config file to avoid any problems with mismatched hashes if we do switch servers.We use the standard ASP.NET Membership provider ("AspNetSqlMembershipProvider"), passwordFormat is set to "Hashed" and we use Forms authentication.The current web.config file initially did not have any machineKey element. I used the web application and had registered and thus created an account and the hash of my password is stored in one of the aspnet_* tables.Then I created a machineKey element in the web.config file, and specified validationKey, decryptionKey, validation and decryption attributes. I had expected not to be able to log in with my password anymore, but I was surprised that I could still do so with the existence of the new machineKey specifying new encryption keys.So - why can I still log in?Does the AspNetSqlMembershipProvider not use the encryption keys specified in machineKey?
View 7 Replies
Mar 6, 2010
I encrypt my machinekey with aspnet_regiis The problem is on this lines on web.config.
[Code]....
on the first line The 'configProtectionProvider' attribute is not declared on the second line The element 'machinekey' cannot contain child element 'http://www.w3.org/2001/04/xmlenc#Element:Encrypteddata' because the parent element content model is empty.I've read that it has something to do with intellisence and the application will work ok.
View 2 Replies
Feb 18, 2010
I have a problem hopefully someone out there will steer me in the right direction.
I have a web application that I am going to put on a standalone cd - currently the data is "Safe" because the database is in in the app folder and the code is located in the codebehind.
My problem is i'm putting this on a CD as a standalone site, anyone can access the database, or find the XML....
Is there a way to generate an encrypted Database / XML Page, that is complied with the CD, that the program can decrypt and access with a embedded key?
View 1 Replies
Apr 9, 2010
I have this following setup, a textarea named with some data in it that may have carriage returns and another textarea that has style='display:none' in order to make it hidden as follows:
<textarea id="myTextarea" onBlur="encryptMyData()">
View 3 Replies
Mar 2, 2010
We have a scenario using asp.net Forms Authentication in a web farm and need to setup identical <machinekey /> sections on each servers .config file.
Is it better to store the <machinekey /> section in machine.config rather then web.config? what's the advantages and disadvantages of each approach concerning security?
<machineKey validationKey="[keyhere]"
decryptionKey="[keyhere]" validation="SHA1" />
If its not secure enough, is there any way to encrypt <machinekey /> section like we encrypt our connectionsstring (with DPAPI)? (http://msdn.microsoft.com/en-us/library/ms998280.aspx)
View 1 Replies
Oct 4, 2010
We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:
CryptographicException
Padding is invalid and cannot be removed.
When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:
Can I generate a machineKey via a tool on the server, or do I need to write code to do this?
Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)
View 2 Replies
Aug 5, 2010
found while searching for help on my asp.net application.I have a small application with connected to a SQL database. As it was so small, and contained very little data of any importance, i had set it up with Clear passwords.Now i have been asked to expand the database considerably, and encrypted passwords are now required. I can easily modify the web.config so all future users are set up with encrypted passwords. But is there any way to change all existing users passwords to be stored encrypted?
View 10 Replies
Feb 9, 2011
I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.
View 4 Replies
Oct 12, 2010
I have been trying to encrypt password and found a code which is working with Access fine but as i have changed to SQL it is not decoding the encrypted text.. it amazes me..this SQl code is not letting me log on..
[Code]....
Whereas this OlebDB/Access is working fine
[Code]....
View 4 Replies
Aug 24, 2010
i'm working on already built asp.net webapplication. in the web.config for connectionString section i have seen this
<add name="MyConnectionString" connectionString="3abcde12n3kd03kldwqaswe45tdw4fo23003ld3ddfot0lkdpe2d" providerName="System.Data.SqlClient"/>
can anyone tell me on how this encryption done? i know the standard way of encrypting using aspnetregiis.exe which replaces the entire connnectionString section of the web.config.
View 4 Replies
Apr 4, 2011
would please someone guide me how to encrypt and decrypt cookies in Asp.net 2.0.
View 1 Replies
May 3, 2010
I am wondering how to encrypt the below information in the "web.config" file of the "Account" folder (where we have the secured pages):
[Code]....
My issue here is that even after I compiled my application (using "aspnet_compiler -v /reports c:
eports"), the information inside the web.config file of the Account folder still not encrypted, and I want to publish my site to the customer server. So, since this server is a customer server, then they can access this "web.config" file and change our web-application security behaviour (correct me if I am wrong). Basically, I don't want the customer to even have access to our secured pages when they access our web-application using the web browser. How to solve this issue?
View 2 Replies
Aug 17, 2010
I used the article Creating a Flexible Configuration Section Handler to create a Flexible Configuration Section Handler in my application.
I also saw this article entitled Encrypting Custom Configuration Sections on the OdeToCode blog, on how to encrypt portions of a web.config file.
From the first article, we have this web.config code.
[code]...
View 2 Replies
Aug 26, 2010
I am getting the error "An error occurred loading a configuration file: Access to the path is denied."
When I am in VS 2010, I can Encrypt as long as I run as administrator. Code as follows:
[Code]....
My problem is I need to run this in IIS. What is stopping me? It's a permission problem, but what permission. I am running IIS 7.5 on Windows 7. This is happening on my production server as well. Same error.
View 1 Replies
Mar 9, 2010
Is there any tools available to encrypt and decrypt Asp.net Web configuration sections like connection string ,etc.?
Can i get any add-on for this?If i use Enterprise Library i can do so,but without that is there any simple utility available?
View 1 Replies
Nov 7, 2010
I just came across some code that seems to encrypt database keys prior to sending them to the client (WebBrowser, Silverlight, etc).
To illustrate, suppose you have a list of students to extra-curricular activities, and a relationship defined between them. Every time the data is written out to the ASPX page, the studentID and activityID is encrypted. Every time a write, or modify is made, this value is sent back to the server, decrypted, and saved to the database.
What could be the reasons to expose data this way? Is this a normal practice?
View 1 Replies
Feb 4, 2011
Any section in my web.config file that I want to encrypt I run this command line util:
aspnet_regiis -pe "anySection" -app "/SampleApplication"
It all works just fine until I try encrypt my connectionStrings sections
I define (and I cannot change this) my connectionStrings section like this:
[code]....
Is there a way of doing this using the aspnet_regiis util? Doing it with code is not an option for me.
Also is there a way to run this untility without specifing the application (-app "/SampleApplication") instead giving the path to the web.config file?
View 2 Replies
Mar 14, 2011
I have created an x590 certificate that is in the file :
"C:UsersmartinAppDataRoamingMicrosoftSystemCertificatesMyCertificates"
I am trying to acces the public key to encrypt some plain text.
The system is throwing an "System.ArgumentOutOfRangeException" at the line
Dim certificate As X509Certificate2 = certificateCollection(0)
Can anyone tell me where I am going wrong or tell me another way to access the public key
.................................................
This is the complete code:
Imports System.Security
Imports System.Security.Cryptography.X509Certificates
Imports System.Security.Cryptography.X509Certificates.X509Certificate2
Imports System.Security.Cryptography.Pkcs
Partial Class encryptwithcertificare
Inherits System.Web.UI.Page
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim encoding As UTF8Encoding = New UTF8Encoding
Dim cleartext As String = Textbox1.Text
Dim myStore As X509Store = New X509Store()
myStore.Open(OpenFlags.ReadOnly)
Dim certificateCollection As X509Certificate2Collection = myStore.Certificates.Find(X509FindType.FindBySubjectName, "bobby", True)
Dim certificate As X509Certificate2 = certificateCollection(0)
Dim code() As Byte = EncryptwithCertificate(cleartext, certificate)
Label1.Text = Convert.ToBase64String(code)
End Sub
Shared Function EncryptwithCertificate(ByVal cleartext As Byte, ByVal certificate As X509Certificate2) As Byte()
Dim encoding As UTF8Encoding = New UTF8Encoding
Dim cleartextsbyte() As Byte = encoding.GetBytes(cleartext)
Dim contentinfo As ContentInfo = New ContentInfo(cleartextsbyte)
Dim envelopedCms As EnvelopedCms = New EnvelopedCms(contentinfo)
Dim recipient As CmsRecipient = New CmsRecipient(certificate)
envelopedCms.Encrypt(recipient)
Return envelopedCms.Encode()
End Function
End Class
View 3 Replies
Apr 22, 2010
I want to encrypt the password entered by the user....how do i go about it?is there any built-in function for it or will i be required to write a code for it?
View 5 Replies