One ASP.NET Security Task that was essentially impossible to perform in a shared ASP.NET 1.1 hosting environment was connection string encryption. Encrypting connection strings, encrypting application settings, or any part of Web.config required additional access to the hosting environment above and beyond what most 3rd party host providers were willing to provide to their customers.
ASP.NET 2.0 has now made this monumental task of encrypting configuration sections within Web.config a snap. There are no more excuses in .NET 2.0 as to why you haven't encrypted sensitive information, such as connection strings, in your Web.config. Not only can you encrypt config sections using aspnet_regiis from the command line, but you can also encrypt and unencrypt Web.config on the fly in code.
Encrypt AppSettings Programatically
Shown below is a snippet of the application settings in Web.config in ASP.NET 2.0. Unprotected, you can read the application settings really easily. However, if this is private data that you don't want people to know, it is best to encrypt it.
<appSettings>
<add key="SiteName" value="Dave's Website" />
<add key="SecretKey" value="12345678" />
appSettings>
The code for protecting and unprotecting sections in your Web.config is fairly trivial, because WebConfigurationManager-related classes handle all the work for you. I added two buttons to a web page, called btnProtect and btnUnProtect, to protect and unprotect on the fly. Here is the code of interest:
protected void UnProtect_Click(object sender, EventArgs e)
{
UnProtectSection("appSettings");
}
protected void Protect_Click(object sender, EventArgs e)
{
ProtectSection("appSettings",
"DataProtectionConfigurationProvider");
}
private void ProtectSection(string sectionName,
string provider)
{
Configuration config =
WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection(sectionName);
if (section != null &&
!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection(provider);
config.Save();
}
}
private void UnProtectSection(string sectionName)
{
Configuration config =
WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection(sectionName);
if (section != null &&
section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}
The code is very self-explanatory. The amazing part is how trivial it is. Here is what the application settings look like when encrypted:
<appSettings configProtectionProvider=
"DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAA
AXmrl4EN1VUSGDS9ZSSydRwQAAAACAA
AAAAADZgAAqAAAABAAAAA280OtZlZwu
D3U+ihvi2zpAAAAAASAAACgAAAAEAAA
AJ6AnDzWM1o3osh/Y6fcYtwAAQAA1PR
+wzfwgBgZ4y0yHU4uxaaMET13u21Bv3
zVE7aA7Z5pCWAYs54LNLNYQ673kmzAL
osWb7OMuzW6BPwMp18gKNQXOFSGNgA1
...
CipherValue>
CipherData>
EncryptedData>
appSettings>
Conclusion
ASP.NET 2.0 makes it extremely easy to encrypt connection strings, encrypt application settings, and encrypt config sections in Web.config either via the command prompt with aspnet_regiis or programmatically in your web applications.
Recent ASP.NET Security Tutorials
Written by David Hayden ( ASP.NET Developer / Blog )