Use Dpapi with Shared Asp.Net Web Host?

[Phil C.]

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!

[Svein Terje Gaup]

If you need to write your own DPAPI library, this might help:
[url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]

DPAPI is only suitable for encrypting and decrypting stuff on the same
machine. If you need to decrypt on a different machine, DPAPI is useless.

This article explains how to encrypt and store the connection string in the
registry:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp[/url]

HTH,
Svein Terje Gaup

"Phil C." <charlestek@rcn.com> wrote in message
news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...

> Hi.
>
> I'd like to use an encrypted database connection string. I'd also like
> use an encrypted set of customer tables with a symmetric algorithm (and a
> secure symmetric key) generated by .Net in my sql server database from
> asp.net code stored on a shared host asp.net server.
>
> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
> code posted on msdn. The dpapi should enable me to encrypt the connection
> string, but the portion of the code that calls the encryption class and
> encrypts a given string is a console application.
>
> The article accompanying the code states: "Note that you'll need to run
> the console application on the IIS server to generate the encrypted
> base-64-encoded string. this is because the EncryptString function
> instructs the DPAPI to use the machine-wide key, so the encryption and
> ecryption will be valid only on the same machine.
>
> Since this is on a shared host thousands of miles away, and I don't
> belive I can run any local console code on it,
> does this mean I'm sunk????
>
> Basically I need some secure way of storing my encrypted connection string
> and storing
> my symmetric encryption key. I know how to write the code to use the
> keys and algorithms to encrypt and decrypt things.
>
> I suppose I could hide bits and pieces of the each key
> in different places in the code or database and append them together by
> hardcoding, but
> I believe that that could be discovered???? by dissassembling my code
> unless I use a professional obfuscator???.
>
> HELP!
>
> --Insecure in Boston, MA
> -->GO PATRIOTS!!!!!!!!!!!!!!!
>

[Phil C.]

Thanks, Svein

Since the only directory I have access to on the web host server is a given
asp.net directory for my files, I seriously doubt I would for security
reasons be allowed to access the registry. Therefore, my alternatives do
not look good at all.

Phil

"Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
news:%23QKBVBkAFHA.1452@TK2MSFTNGP11.phx.gbl...

> If you need to write your own DPAPI library, this might help:
> [url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]
>
> DPAPI is only suitable for encrypting and decrypting stuff on the same
> machine. If you need to decrypt on a different machine, DPAPI is useless.
>
> This article explains how to encrypt and store the connection string in
> the registry:
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp[/url]
>
> HTH,
> Svein Terje Gaup
>
> "Phil C." <charlestek@rcn.com> wrote in message
> news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...

>> Hi.
>>
>> I'd like to use an encrypted database connection string. I'd also like
>> use an encrypted set of customer tables with a symmetric algorithm (and a
>> secure symmetric key) generated by .Net in my sql server database from
>> asp.net code stored on a shared host asp.net server.
>>
>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>> code posted on msdn. The dpapi should enable me to encrypt the
>> connection string, but the portion of the code that calls the encryption
>> class and encrypts a given string is a console application.
>>
>> The article accompanying the code states: "Note that you'll need to run
>> the console application on the IIS server to generate the encrypted
>> base-64-encoded string. this is because the EncryptString function
>> instructs the DPAPI to use the machine-wide key, so the encryption and
>> ecryption will be valid only on the same machine.
>>
>> Since this is on a shared host thousands of miles away, and I don't
>> belive I can run any local console code on it,
>> does this mean I'm sunk????
>>
>> Basically I need some secure way of storing my encrypted connection
>> string and storing
>> my symmetric encryption key. I know how to write the code to use the
>> keys and algorithms to encrypt and decrypt things.
>>
>> I suppose I could hide bits and pieces of the each key
>> in different places in the code or database and append them together by
>> hardcoding, but
>> I believe that that could be discovered???? by dissassembling my code
>> unless I use a professional obfuscator???.
>>
>> HELP!
>>
>> --Insecure in Boston, MA
>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>

>
>

[Dominick Baier [DevelopMentor]]

i wrote a couple of DPAPI tools (extended the ms impl, a command line tool .. and a ASP.NET frontend) - just upload the single aspx file to the server and you can encrypt whatever strings you like with DPAPI...don't forget to secure that page (or better delete it when you are finished)

download:
[url]http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f[/url]



---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl>

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!



[microsoft.public.dotnet.framework.aspnet.security]

[Svein Terje Gaup]

I'm not sure if this would work, but I guess you could try using asymetric
encryption. You could then store your public key and the encrypted
connection string in the web.config file on the web server. To decrypt the
connection string and connect to the database, the user connects using SSL,
passing the private key (as a kind of password). You might then store the
private key in the users context during the session.

Ah... you probably can't connect using SSL either since you don't have
access to the server? Or can you?

You could also use DPAPI as you suggested, but you should not use a console
application, but rather encapsulate your DPAPI code in a DLL file, as
suggested in this MSDN article:
[url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT07.asp[/url].

DPAPI consists of unmanaged code, so you will have to sign the component.
I'm not sure, however, if even signing will be enough to allow the component
to be used on the shared webserver. This depends on the ISP's CAS policy.

You can then make an application (one aspx file) that by using the DPAPI
library encrypts the connection string in web.config. After the encryption
has been done, for security reasons, you would have to remove the
application from the server, so no-one could use it to "double-encrypt" your
connection string.

Just a few thoughts...
Svein Terje Gaup

"Phil C." <charlestek@rcn.com> wrote in message
news:exsLpekAFHA.3528@tk2msftngp13.phx.gbl...

> Thanks, Svein
>
> Since the only directory I have access to on the web host server is a
> given asp.net directory for my files, I seriously doubt I would for
> security reasons be allowed to access the registry. Therefore, my
> alternatives do not look good at all.
>
> Phil
>
> "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
> news:%23QKBVBkAFHA.1452@TK2MSFTNGP11.phx.gbl...

>> If you need to write your own DPAPI library, this might help:
>> [url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]
>>
>> DPAPI is only suitable for encrypting and decrypting stuff on the same
>> machine. If you need to decrypt on a different machine, DPAPI is useless.
>>
>> This article explains how to encrypt and store the connection string in
>> the registry:
>> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp[/url]
>>
>> HTH,
>> Svein Terje Gaup
>>
>> "Phil C." <charlestek@rcn.com> wrote in message
>> news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...

>>> Hi.
>>>
>>> I'd like to use an encrypted database connection string. I'd also like
>>> use an encrypted set of customer tables with a symmetric algorithm (and
>>> a secure symmetric key) generated by .Net in my sql server database
>>> from asp.net code stored on a shared host asp.net server.
>>>
>>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>>> code posted on msdn. The dpapi should enable me to encrypt the
>>> connection string, but the portion of the code that calls the encryption
>>> class and encrypts a given string is a console application.
>>>
>>> The article accompanying the code states: "Note that you'll need to run
>>> the console application on the IIS server to generate the encrypted
>>> base-64-encoded string. this is because the EncryptString function
>>> instructs the DPAPI to use the machine-wide key, so the encryption and
>>> ecryption will be valid only on the same machine.
>>>
>>> Since this is on a shared host thousands of miles away, and I don't
>>> belive I can run any local console code on it,
>>> does this mean I'm sunk????
>>>
>>> Basically I need some secure way of storing my encrypted connection
>>> string and storing
>>> my symmetric encryption key. I know how to write the code to use the
>>> keys and algorithms to encrypt and decrypt things.
>>>
>>> I suppose I could hide bits and pieces of the each key
>>> in different places in the code or database and append them together by
>>> hardcoding, but
>>> I believe that that could be discovered???? by dissassembling my code
>>> unless I use a professional obfuscator???.
>>>
>>> HELP!
>>>
>>> --Insecure in Boston, MA
>>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>>

>>
>>

>
>

[Phil C.]

Thanks again Svein,

I will look at both options as well as talk to the web host company (if I
can find someone knowlegeable there).
I gather this means that most small companies rent standalone servers from
web hosts.
Either that or they have their own server at their own location.

Phil

"Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
news:uZ7djHlAFHA.3404@TK2MSFTNGP10.phx.gbl...

> I'm not sure if this would work, but I guess you could try using asymetric
> encryption. You could then store your public key and the encrypted
> connection string in the web.config file on the web server. To decrypt the
> connection string and connect to the database, the user connects using
> SSL, passing the private key (as a kind of password). You might then store
> the private key in the users context during the session.
>
> Ah... you probably can't connect using SSL either since you don't have
> access to the server? Or can you?
>
> You could also use DPAPI as you suggested, but you should not use a
> console application, but rather encapsulate your DPAPI code in a DLL file,
> as suggested in this MSDN article:
> [url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT07.asp[/url].
>
> DPAPI consists of unmanaged code, so you will have to sign the component.
> I'm not sure, however, if even signing will be enough to allow the
> component to be used on the shared webserver. This depends on the ISP's
> CAS policy.
>
> You can then make an application (one aspx file) that by using the DPAPI
> library encrypts the connection string in web.config. After the encryption
> has been done, for security reasons, you would have to remove the
> application from the server, so no-one could use it to "double-encrypt"
> your connection string.
>
> Just a few thoughts...
> Svein Terje Gaup
>
> "Phil C." <charlestek@rcn.com> wrote in message
> news:exsLpekAFHA.3528@tk2msftngp13.phx.gbl...

>> Thanks, Svein
>>
>> Since the only directory I have access to on the web host server is a
>> given asp.net directory for my files, I seriously doubt I would for
>> security reasons be allowed to access the registry. Therefore, my
>> alternatives do not look good at all.
>>
>> Phil
>>
>> "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
>> news:%23QKBVBkAFHA.1452@TK2MSFTNGP11.phx.gbl...

>>> If you need to write your own DPAPI library, this might help:
>>> [url]http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp[/url]
>>>
>>> DPAPI is only suitable for encrypting and decrypting stuff on the same
>>> machine. If you need to decrypt on a different machine, DPAPI is
>>> useless.
>>>
>>> This article explains how to encrypt and store the connection string in
>>> the registry:
>>> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp[/url]
>>>
>>> HTH,
>>> Svein Terje Gaup
>>>
>>> "Phil C." <charlestek@rcn.com> wrote in message
>>> news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...
>>>> Hi.
>>>>
>>>> I'd like to use an encrypted database connection string. I'd also like
>>>> use an encrypted set of customer tables with a symmetric algorithm (and
>>>> a secure symmetric key) generated by .Net in my sql server database
>>>> from asp.net code stored on a shared host asp.net server.
>>>>
>>>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>>>> code posted on msdn. The dpapi should enable me to encrypt the
>>>> connection string, but the portion of the code that calls the
>>>> encryption class and encrypts a given string is a console application.
>>>>
>>>> The article accompanying the code states: "Note that you'll need to run
>>>> the console application on the IIS server to generate the encrypted
>>>> base-64-encoded string. this is because the EncryptString function
>>>> instructs the DPAPI to use the machine-wide key, so the encryption and
>>>> ecryption will be valid only on the same machine.
>>>>
>>>> Since this is on a shared host thousands of miles away, and I don't
>>>> belive I can run any local console code on it,
>>>> does this mean I'm sunk????
>>>>
>>>> Basically I need some secure way of storing my encrypted connection
>>>> string and storing
>>>> my symmetric encryption key. I know how to write the code to use the
>>>> keys and algorithms to encrypt and decrypt things.
>>>>
>>>> I suppose I could hide bits and pieces of the each key
>>>> in different places in the code or database and append them together by
>>>> hardcoding, but
>>>> I believe that that could be discovered???? by dissassembling my code
>>>> unless I use a professional obfuscator???.
>>>>
>>>> HELP!
>>>>
>>>> --Insecure in Boston, MA
>>>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>>>
>>>
>>>

>>
>>

>
>

[Phil C.]

Thanks Dominick,

I think this ties in with Svein's last reply regarding creating a dll.
I will download it and try it.

Finding some answers to this question was difficult as I googled
considerably and looked
at a lot of .Net forums, but for some reason no one else seems to have
needed to document the answers.

Phil

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:eYHB8DlAFHA.936@TK2MSFTNGP12.phx.gbl...

>i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
>.. and a ASP.NET frontend) - just upload the single aspx file to the server
>and you can encrypt whatever strings you like with DPAPI...don't forget to
>secure that page (or better delete it when you are finished)
>
> download:
> [url]http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f[/url]
>
>
>
> ---
> Dominick Baier - DevelopMentor
> [url]http://www.leastprivilege.com[/url]
>
>
> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl>
>
> Hi.
>
> I'd like to use an encrypted database connection string. I'd also like use
> an encrypted set of customer tables with a symmetric algorithm (and a
> secure
> symmetric key) generated by .Net in my sql server database from asp.net
> code stored on a shared host asp.net server.
>
> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
> code posted on msdn. The dpapi should enable me to encrypt the connection
> string, but the portion of the code that calls the encryption class and
> encrypts a given string is a console application.
>
> The article accompanying the code states: "Note that you'll need to run
> the
> console application on the IIS server to generate the encrypted
> base-64-encoded string. this is because the EncryptString function
> instructs the DPAPI to use the machine-wide key, so the encryption and
> ecryption will be valid only on the same machine.
>
> Since this is on a shared host thousands of miles away, and I don't belive
> I can run any local console code on it,
> does this mean I'm sunk????
>
> Basically I need some secure way of storing my encrypted connection string
> and storing
> my symmetric encryption key. I know how to write the code to use the keys
> and algorithms to encrypt and decrypt things.
>
> I suppose I could hide bits and pieces of the each key
> in different places in the code or database and append them together by
> hardcoding, but
> I believe that that could be discovered???? by dissassembling my code
> unless
> I use a professional obfuscator???.
>
> HELP!
>
> --Insecure in Boston, MA
> -->GO PATRIOTS!!!!!!!!!!!!!!!
>
>
>
> [microsoft.public.dotnet.framework.aspnet.security]

[Phil C.]

Dominick,

The download link for your dpapi tools is not functional.
Could you please check the site and your zip file?

Thanks,

Phil



"Phil C." <charlestek@rcn.com> wrote in message
news:%23S4MGylAFHA.3472@TK2MSFTNGP14.phx.gbl...

> Thanks Dominick,
>
> I think this ties in with Svein's last reply regarding creating a dll.
> I will download it and try it.
>
> Finding some answers to this question was difficult as I googled
> considerably and looked
> at a lot of .Net forums, but for some reason no one else seems to have
> needed to document the answers.
>
> Phil
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:eYHB8DlAFHA.936@TK2MSFTNGP12.phx.gbl...

>>i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
>>.. and a ASP.NET frontend) - just upload the single aspx file to the
>>server and you can encrypt whatever strings you like with DPAPI...don't
>>forget to secure that page (or better delete it when you are finished)
>>
>> download:
>> [url]http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f[/url]
>>
>>
>>
>> ---
>> Dominick Baier - DevelopMentor
>> [url]http://www.leastprivilege.com[/url]
>>
>>
>> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl>
>>
>> Hi.
>>
>> I'd like to use an encrypted database connection string. I'd also like
>> use
>> an encrypted set of customer tables with a symmetric algorithm (and a
>> secure
>> symmetric key) generated by .Net in my sql server database from asp.net
>> code stored on a shared host asp.net server.
>>
>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>> code posted on msdn. The dpapi should enable me to encrypt the connection
>> string, but the portion of the code that calls the encryption class and
>> encrypts a given string is a console application.
>>
>> The article accompanying the code states: "Note that you'll need to run
>> the
>> console application on the IIS server to generate the encrypted
>> base-64-encoded string. this is because the EncryptString function
>> instructs the DPAPI to use the machine-wide key, so the encryption and
>> ecryption will be valid only on the same machine.
>>
>> Since this is on a shared host thousands of miles away, and I don't
>> belive
>> I can run any local console code on it,
>> does this mean I'm sunk????
>>
>> Basically I need some secure way of storing my encrypted connection
>> string
>> and storing
>> my symmetric encryption key. I know how to write the code to use the keys
>> and algorithms to encrypt and decrypt things.
>>
>> I suppose I could hide bits and pieces of the each key
>> in different places in the code or database and append them together by
>> hardcoding, but
>> I believe that that could be discovered???? by dissassembling my code
>> unless
>> I use a professional obfuscator???.
>>
>> HELP!
>>
>> --Insecure in Boston, MA
>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>
>>
>>
>> [microsoft.public.dotnet.framework.aspnet.security]

>
>