Introduction

ASP.Net developers commonly stores all the configuration and sensitive information in plain text files called web.config and machine.config files. These information includes database connection strings, user names, passwords for the databases, SMTP server and credentials. This article describes the ways to encrypt the web.config sensitive information sections.

Scenario

By default all the requests to resources with the .config extension has been rejected by ASP.Net. This setting has been done while configuring ASP.Net. But the sensitive information in Web.config can be disclosed if a hacker obtains access to your web server's file system and your web.config is not encrypted.

Solutions

There are two ways to encrypt the web.config file.

1. Using aspnet_regiis.exe, a command-line tool

2. Using Protected Configuration model Programmatically

Note: Encrypting and decrypting configuration sections carries a performance cost. Therefore, only encrypt the configuration sections that contain sensitive information. 

Using aspnet_regiis.exe command line tool

First we see that how we can encrypt and decrypt sections in the Web.config file using the aspnet_regiis.exe command-line tool, You can find this tool in the <WINDOWDIR>\Microsoft.Net\Framework\version directory. Use the following command to encrypt a section of the Web.config file using the DPAPI machine key:

aspnet_regiis.exe -pe "connectionStrings" -app "Application_Virtual_Directory" 
-prov "DataProtectionConfigurationProvider"

To decrypt connectionStrings section using this tool, you can specify following command:

aspnet_regiis.exe -pd "connectionStrings" -app "Application_Virtual_Directory"

Using Protected Configuration model programmatically

Protected Configuration model ASP.NET 2.0 allows you to encrypt data using two built-in Protected Configuration Providers for protecting configuration sections:

1. RSAProtectedConfigurationProvider: This is the default provider and uses the RSA Public Key Encryption algorithm to encrypt and decrypt data.

2. DataProtectionConfigurationProvider: this provider uses the built-in cryptography capabilities of Windows which is called windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data.

In this article, we will explore the above mentioned two ways to encrypting and decrypting the web.config sections in ASP.NET 2.0.

RSAProtectedConfigurationProvider :

Create a new Web site. Open the Web.config configuration file and add sample connection string. Bellow is an example of connectionString section:

<connectionStrings>
 <add name="MyLocalSQLServer"      
  connectionString="Initial Catalog=aspnetdb; data source=localhost;Integrated Security=SSPI;"      
  providerName="System.Data.SqlClient"/>
</connectionStrings>

You can observe section in above sample which contains connection string information.

Add new form to your existing website and add the following code to the code behind file:

using System.Web.Configuration;
using System.Web.Security;
using System.Configuration;
public void EncryptConnectionString()
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection objSection = config.GetSection("connectionStrings");
    if(!objSection.SectionInformation.IsProtected)   
    {           
        objSection.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");           
        objConfig.Save();     
    }
}

We will use RSAProtectedConfigurationProvider model to encrypt the connection strings. The System.configuration namespace contains classes which deal with the website configuration information. The System.Web.Configuration contains WebConfigurationManager class. It provides programmatic access to configuration files of ASP.NET web applications. You can use OpenWebConfiguration methods provided by WebConfigurationManager that return an object of type Configuration. And configuration class object has all the required methods and properties to handle the underlying configuration files. The GetSection method of configuration object returns the connectionStrings section object for the web.config file. Now run this page and observe your web.config file

DataProtectionConfigurationProvider :

Create another website and add another sample connection string in the web.config file. Add new form to your existing website and add the following code to the code behind file: 

using System.Web.Configuration;
using System.Web.Security;
using System.Configuration;
public void EncryptConnectionString()
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection objSection = config.GetSection("connectionStrings");
    if(!objSection.SectionInformation.IsProtected)   
    {           
        objSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");           
        objConfig.Save();     
    }
}

Decrypt Protected Configuration

You can also decrypt the encrypted information using below method.

using System.Web.Configuration;
using System.Web.Security;
using System.Configuration;
public void DecryptConnectionString()
{
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection objSection = config.GetSection("connectionStrings");
    if(!objSection.SectionInformation.IsProtected)   
    {           
        objSection.SectionInformation.UnprotectSection();           
        objConfig.Save();     
    }
}

Points of Attention

Remember, you cannot encrypt the following sections by using protected configuration and the Aspnet_regiis.exe tool.

o  <processModel>
o  <runtime>
o  <mscorlib>
o  <startup>
o  <system.runtime.remoting>
o  <configProtectedData>
o  <satelliteassemblies>
o  <cryptographySettings>
o  <cryptoNameMapping>
o  <cryptoClasses>

In order to encrypt these configuration sections there's an aspnet_setreg.exe command-line tool to help 

Copyrights 2018, www.expertsupdates.com