Security :: How To Makle Encryption In Web.config
Oct 25, 2010m trying to encrypt the <connectionStrings> in my web.config site using this code:
[Code]....
m trying to encrypt the <connectionStrings> in my web.config site using this code:
[Code]....
This is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption.
I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!
Not sure if I'm posting the question in the right category.
1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.
I'm using TCP/IP protocol.
2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?
Here is what I do:
//First delete
aspnet_regiis -pz MyKeyName
//Create the container
aspnet_regiis -pc MyKeyName -exp
//Install the key into a machine-level RSA key provider
aspnet_regiis -pi MyKeyName pathToKeyFile
//Encrypt
aspnet_regiis -pef "connectionStrings" -prov pathToWebConfigFile
//So that's all good so far. If I want I can now decrypt which runs just fine on the same machine:
aspnet_regiis -pdf "connectionStrings"
I now take the Encrypted file and bring it to another machine and instal the same key (got from exporting my key using aspnet_regiis -px "MyKeyName" "C:MyKeyName.xml" -pri).
Now when I run the same decryption command I get an error " Decryption failed... Bad Data..."
I have a couple of configuration files flxConnection.config and flxSecurity.config files which are being referenced from the Machine.config file like below.
<securitySettings configSource="flxSecurity.config" />
<connectionStrings configSource="flxConnection.config" />
I would like to encrypt the files (a) flxSecurity.config and (b) flxConnection.config using the RSAProtectedConfigurationProvider using a custom RSA key, which can be deployed to other servers. How is that possible? If possible, looked at a variety of stuff in the internet and they all seem to be referring to either Web.config or Machine.config encryption which is pretty straight-forward. This is how the flxConnection.config looks like,
<?xml version="1.0"?>
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.SQLEXPRESS;Integrated
Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
</connectionStrings>
This is how the flxSecurity.config looks like,
<?xml version="1.0" encoding="UTF-8"?>
<securitySettings>
<add key="APC_APP_ID" value="apcrpt"/>
</securitySettings>
I want to encrypt the connection string in web.config, the problem is each time a developer changes the connection string in web.config and publishes, it needs to be encrypted every time in the web server. Is there any way that the connection string can encrypted automatically every time someone publishes it?
Note :- All of us work on our local machines other than the server. So encryption using local machine key is not an option.
I am using a Query Encryption Technique shown in Thread[URL]I am facing a problem with the above module status bar always displays real URL,& when ever i right click on page then properties than Address URL shows Real URL
View 4 RepliesI would like to use the System.Security.Cryptography to encrypt / decrypt my passwords strings for my custom membership provider login.I've read some basic article's but they don't explain much about the process in detail. I've decided to use AES because it is said to replace DES encryption. How can I encrypt and decrypt my password strings in the strongest way possible with AES? I would really like a very detailed explanation about the method to use for this task.
View 1 RepliesIf a website is already using SSL, this guarantees a secure channel between the client and the website right. If I do another encrypt on the information being transmitted via HTTP POST would this be an overkill?
View 2 RepliesI inherited a ASP.Net website. Some changes need to be implemented. The login for the application is encrypted using the md5cryptoserviceprovider class. After upgrading to 2.0, the password is no longer encrypted the same as when it was 1.1.
I left the 1.1 virtual directory and it's still working. On the same box, I loaded the 2.0 code and setup a new virtual directory (which isn't encrypting the same as 1.1).
I copied the section below from the 1.1 machine.config section into the web.config and the 2.0 machine.config.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>
Here is the code that is generating the hash.
MD5CryptoServiceProvider encryptionServiceProvider = new MD5CryptoServiceProvider();
var bytes = ASCIIEncoding.ASCII.GetBytes(inputString);
what is two way encryption and how does that work ?
View 2 RepliesI have a hex string (encrypted)I need to use Rijndael classes with these settings:
Encryption: AES
I have a problem trying to encrypt a string in PHP and also in C# using DES (cbc) encryption. The problem I'm facing is that I'm getting different results using the different languages.In C#:
[Code]....
You can see that they are close...
PHP: HLp51qoFW0rimOTafCVTVQ==
C# : HLp51qoFW0ojU8eGEGkk4w==
But something is going wrong somewhere, I suspect it's a difference between (PHP) pack("H*", '0F26EF560F26EF56') and (C#) StringToBytes.ConvertHex("0F26EF560F26EF56") but I'm really struggling to spot it.
my code:
[Code]....
I have a stored encryption: "dkljas84u238jidasjidoia"When I get in this instance decryption "11111111111111111"show how the combobox "****************** 1111 "Something like: SELECT RIGHT ('11111111111111111 ', 4)
I'm just starting to really get into JSON as a tool for my sites. I was showing my friend how I am calling a WS and returning the data, and he asked me about security of passing JSON data to and from a web service as he saw the data from the "POST" (via Firebug). Many of our public facing sites deal with member information and contain PHI. Can I encrypt the JSON data and then unencrypt it? Is that a good way to go about it to ensure a layer of protection? Or is there another "better/right" way of doing it? Or are his concerns unfounded? Is there an article about how to encrypt or secure the JSON data when needed? Just trying to gather as much knowledge as possible before I go down a path that won't work for the company.
View 4 RepliesMy website has to connect to a hosted SQL Server database. The connectiostring, incluing username and password, is stored in the web config file.I have two questions.The first is that everything I read says this must be encrypted so that it cannot be read and used by others. Well, how would that happen. My understanding of ASP.net is that all the work is carried out on the hosted server and the rendered page is then delivered to the user. How would a user be able to view my connectionstring.Secondly, I have used some msdn vb.net code to encrypt the connection string in the web config file. Following on from the first question, how can I confirm that the encryption is intact on the published web.config file.
View 7 RepliesI am creating an application that will save financial data.I am in the process of creating an architecture for this application.I am stuck deciding wether to do encryption on the application side or SQL Server side. I am planning to use AESManaged algorithm for this.My requirement is such that the ecnryption key is unique for each user (based on user's password).I am of the opinion that it should be on the application server side as it becomes easily scalable. Another attractive thing that I find is that if my frontend is Silverlight then I can pass on the actual encryption load onto the client system.
View 7 RepliesI am trying to use both .NET Cryptography as well as SQL Symmetric Encryption with Triple DES, if it's possible. I was able to set up a test database with encryption on a single field like so:
[Code]....
I am using this because of SQL Reportas that are being ran and I don't have access to C# development within them. Now to insert the encrypted key what do I use? I found the following code on another post http://forums.asp.net/p/902066/1000988.aspx#1000988:
[Code]....
How do I modify OR what code do I use to Encrypt/Decrypt the SQL Encryption, does the SQL Encryption method need to change..Is it even possible?
I'm trying to encrypt username and password using a key file generated using enterprise library and every thing works fine, but the problem is that key can only be used on the mashine on which i have generated the key,eithor by machine mode or user mode, i want to ask if their any way to use encryption without using a key file ...
for example by machine key in web config..
I am trying to encrypt my passwords and store in database..i want to know which is the latest one..
View 2 Replieshow to encrypt a PIN in to 4 byte binary. The MD5 and other hashes I have known give the result as 8 or 16 byte. I need only 4 bytes because it is alloted only varchar(4) in the database.
View 3 RepliesI am trying to encrypt/decrypt a file with CAPICOM in javascript. I have to encrypt file with private key and decrypt with public key. But I dont know how to do this with CAPICOM.
View 1 RepliesI need to get message integrity by encrypting the data while dataflow between Service <-> client (by directional). Below are the details.
Development Environment: .net framework 4.0; Windows 7, IIS7, VS2010.
Production Environment: .net framework 4.0; Windows 2008, IIS7.
Business Requirement:
I have an WCF Service hosted in IIS7. There are multiple Windows Forms Application as clients to my service. Services will be consumed via internet.User, Role information are stored in SQL Server 2008 database. Need to Authenticate and Authorize requests agains the SQL Server database. Dataflow is bi-directional. Clients will write data to service. And also Service will serve data to clients Data transfered in wires must be encrypted, in both directions. My approch to solution:
Below is the configuration setting in Service web.config file.
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="POCWsHttpBinding"> <security mode="Message"> <message clientCredentialType="UserName" negotiateServiceCredential="true" /> </security> </binding> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="POCServiceBehaviour" name="SecurityPOC.SecuredService"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="POCWsHttpBinding" name="POCwsHttpBindingEndPoint" contract="SecurityPOC.ISecuredService" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="POCServiceBehaviour"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <serviceCertificate findValue="CN=WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" /><userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Common.MyCustomUsernamePasswordValidator, Common" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>
Questions & Assumptions:
My assumption is that, client certificate is used for authentication. I am not using Certificates at Client side, becuase my client authentication will be done using UserNameValitions against the Database.
Am I write? Using only Server side Certificate, with negotiateServiceCredential="true".
Is it required is install Server certificate on client machines in this case?
I am assuming Server Certificate details will be downloaded to client site during the first call..
<security mode="Message">,
Assuming this setting takes care about the message security/encryption using the Server certificate, in both directions. As per my requirement, message must encryped on wire while tranfer between Server to client and while Client to Server.
Am I write?
My Last question...How to ensure that messages are being encripted on both directions, from Testing point-of-view. I need to take test evidences out of it.
I want to know how can I protect my password in login & register pages because I am not using .net's Login or CreateUserWizard controls.I want an encryption method for this process e.g. when storing password in the database form the register page and when comparing the password with stored password in database to varify a user in login page.
View 3 RepliesJust a quick question i've been asked to look at enhancing security but encrypting passwords we store in a db table, essentially the data thats linked to the user account isnt sensitive however its more to stop someone reading passwords out of the table directly etc
I've read multiple ways of implimenting hashing etc i've started using FormsAuthentication.HashPasswordForStoringInConfigFile
//create new salt and update the password
Hashtable newInfo = new Hashtable();
newInfo["salt"] = GenerateFriendlyPassword(5);
string tmppass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtNewPass1.Text.ToString() + newInfo["salt"].ToString(), "SHA1");
newInfo["passwordHash"] = tmppass;
Generate friendly password returns a 5 char string based on a random position in a valid char array containing a - z and 0 - 9At present the functionality is at page level in the code behind, re this is the forms authentication HashPasswordForStoringInConfigFile function thread safe? Or do i need to look at implimenting this in a different wayCheers appreciate your response as im always jubious about multi threading etc,