Developers often store confidential information in the configuration files. Database connection strings, user names and passwords are some of the examples. One of the requested feature during ASP.NET 1.x days was to provide some way to easily encrypt and decrypt such information. Thankfully ASP.NET 2.0 fulfils this request in a flexible way. This article will explain how a specific configuration section can be protected using inbuilt tool and code.
How ASP.NET encrypts configuration files?
ASP.NET 2.0 allows you to encrypt sections of your configuration file so that they are secure and protected. This feature is often called as Protected Configuration. ASP.NET provides two ways to encrypt and decrypt the configuration files:
- Via a command line tool called ASPNET_REGIIS.EXE
- Via configuration management classes
The encryption and decryption is done with the help of two built-in Protected Configuration Provider :
- RsaProtectedConfigurationProvider
- DataProtectionConfigurationProvider
If you open machine.config on your machine you will find a section that specifies these providers. The RsaProtectedConfigurationProvider is the default one. Below is the relevant markup from machine.config file.
<configProtectedDatadefaultProvider="RsaProtectedConfigurationProvider"><providers><add name="RsaProtectedConfigurationProvider"type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral,yptoServiceProvider to encrypt aPublicKeyToken=b03f5f7f11d50a3a" description="Uses RsaC rnd decrypt" keyContainerName="NetFrameworkConfigurationKey"/> <add name="cspProviderName="" useMachineContainer="true" useOAEP="false"DataProtectionConfigurationProvider"type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral,ProtectData and CryptUnProtectDaPublicKeyToken=b03f5f7f11d50a3a" description="Uses Cryp tta Windows APIs to encrypt and decrypt" useMachineProtection="true" keyEntropy="" /></providers >/configProtectedData><
Encrypting a configuration section using ASPNET_REGIIS.EXE
Let’s see how we can encrypt the <connectionStrings> section using ASPNET_REGIIS.EXE tool.
Create a new IIS based web site in VS.NET called EncryptTest and add a web.config file to it. Then add <connectionStrings> section as shown below:
<connectionStrings><add name="connstr" connectionString="data source=.\sqlexpress;initial catalog=northwind;integrated security=true" /></connectionStrings>
We simply add a connection string that points to Northwind database. Next, drag and drop a GridView control on the default web form and add the following code in the Page_Load event.
protected void Page_Load(object sender, EventArgs e){ string strConn = ConfigurationManager.ring; SqlDataAdapter da = new SqlDataAdapter (ConnectionStrings["connstr"].ConnectionS t"select * from customers", strConn); DataSet ds = new DataSet(); da.Fill(ds);GridView1.DataSource = ds; GridView1.DataBind();}
We read the connection string from the <connectionStrings> section using ConfigurationManager class. We use this manual method instead of using SQL Data Source control deliberately just to prove that the inbuilt classes such as ConfigurationManager automatically decrypt the encrypted version of the connection string. We then populate a DataSet from all the records from Customers table and bind it with the GridView.
Now, open Visual Studio 2005 Command Prompt and issue the following command:
aspnet_regiis -pe "connectionStrings" -app "/encrypttest"
The -pe switch specifies the section from the web.config file to encrypy (connectionStrings in our case). The -app switch specifies the virtual path of the IIS application we are working on.
After executing this command if you peek into the web.config file you should see some thing like this:
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">g/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xml<EncryptedData Type="http://www.w3.o renc#"> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />rg/2001/04/xmlenc#"> <EncryptionMethod Algorithm= "h<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3. ottp://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo>7zk2MegZmiri<CipherData> <CipherValue>NW4gFUtlA3XkbKu42FQ3kYV8EKmwzy9r53vrI2rjV ZFqjsr00/MwS6TWqjnsguN09kWvNIrbfWu5+Gi+DLFhYnGm2NcuaCy Vic8f5e0Q8u3 E5bSELE1fZneWz4oFb+MHqA94ZO3Be XBlocou6ydtmJPXZCqLsDQ=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData>4Kf5zcPyWoaWwcus4LnJYNtg3oGJUvavZ0tjGXH9+5gB w/xMrtfDcY<CipherValue>T2fswq6Rt7g7VSNUnoe4kNFGSluWCBReQf3DRbXao/ sWaWs4mrJAI6Xy0zNDHY5pKXUUF9Kep2wG84rMVx0QtLIUjBaUKCnrm Eb+53oYNPj NAIom9l/IMcO92BKrvimjn/k4Mr8VXxGpvdMkAC3+e6dtW JeUgQGpepO+RNpWymB5kWj38LjMQ=</CipherValue> </CipherData> </EncryptedData></connectionStrings>
The tool has encrypted the connectionStrings section using RsaProtectedConfigurationProvider (default) and stored the encrypted markup back to the configuration file. You can also specify the Protected Configuration Provider using -prov switch. Easy. Isn’t it?
Now, run your web form. The web form should correctly display the Customers table in the GridView indicating that ConfigurationManager class automatically decrypts this information while reading the connection string.
Decrypting a configuration section ASPNET_REGIIS.EXE
What if you need to make some changes to the connection string during the development? Don’t worry! The ASPNET_REGIIS.EXE tool allows you to decrypt the section also. Just issue the following command and get back your original un-encrypted version back.
aspnet_regiis -pd "connectionStrings" -app "/encrypttest"
The onlt difference between this command and the one we used previously is that we used -pd switch instead of -pa.
Encryption and decrypting via code
The task of encrypting and decrypting web.config can also be achieved via code. Let’s see how.
Add a new web form to the same web site and design it as shown below:
Add the following code in the Click event of “Encrypt Connection String” button:
protected void Button1_Click(object sender, EventArgs e){ Configuration config = WebConfigurationManager.figurationSection section = config.ConnectionSOpenWebConfiguration(Request.ApplicationPath); Co ntrings; if (!section.SectionInformation.IsProtected) {section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");section.SectionInformation.ForceSave = true;config.Save(ConfigurationSaveMode.Modified);}}
If you are not familiar with how to edit web.config programmatically then you may find this article useful : Modifying Web.config file programmatically .
The code above is opening the web.config file for modification. It then retrieves the ConnectionStrings section. The most important thing happens at the line marked in bold. The ProtectSection() method accepts the Protected Configuration Provider you want to use for encryption and then encrypts the underlying section using that provider. The code finally saves the file back to the disk.
Decrypting the configuration section works on similar lines as explained below:
protected void Button2_Click(object sender, EventArgs e){ Configuration config = WebConfigurationManager.figurationSection section = config.ConnectionSOpenWebConfiguration(Request.ApplicationPath); Co ntrings; if (section.SectionInformation.IsProtected) {section.SectionInformation.UnprotectSection();section.SectionInformation.ForceSave = true;config.Save(ConfigurationSaveMode.Modified);}}
Here, we used UnprotectSection() method to revert back to the un-encrypted version.
No comments:
Post a Comment