May 25 2008

I can see your password

Category: Tips and Tricks — JoeGeeky @ 10:25

One area that is often overlooked in application security is the protection of information in configuration files such as connection strings, application settings, etc...  The configuration file for any application can often contain very sensitive information and as such needs to be protected. Luckily for us Microsoft thought about this and provided us with a simple mechanism to protect this type of information. This capability is not widely known, and the best part about this is that your application is completely unaware of the change so you do NOT need to refactor code that interoperates Configuration Files. The solution lies in two method calls ConfigurationSection.SectionInformation.ProtectSection(XmlNode) and  ConfigurationSection.SectionInformation.UnprotectSection().  Since this is a native part of configuration section base classes, any custom configuration sections you create can also benefit from this capability.  Here is a simple example of how to implement this, you can get the details from MSDN: 

Generally speaking you would implement this either as part of your application installation or your application startup routines depending on when you want the data to be secured. 

Configuration appConfig;
appConfig = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
//Get an instance of the connectionstrings 
//configuration section
ConnectionStringsSection returnConfig;
returnConfig = (ConnectionStringsSection)appConfig.GetSection("connectionStrings");
if (!returnConfig.SectionInformation.IsProtected)
    returnConfig.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
//Protect the section
appConfig.Save();

Decrypted the configuration section is just as easy...

Configuration appConfig;
appConfig = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
//Get an instance of the connectionstrings 
//configuration section
ConnectionStringsSection returnConfig;
returnConfig = (ConnectionStringsSection)appConfig.GetSection("connectionStrings");
//Decrypt the protected section
if (returnConfig.SectionInformation.IsProtected)
    returnConfig.SectionInformation.UnprotectSection();
appConfig.Save();

 

Microsoft has supplied a couple out-of-the-box encryption providers, but if you want to create your own you can...  Here is an example implemention of a custom provider.

using System;
using System.Configuration;
using System.Xml;

/// <summary>
/// This class facilitates the encryption and 
/// decryption of configuration sections
/// </summary>
/// <remarks>For this to be used the Configuration 
/// Provider must first be registered in the 
/// consuming applications configuration file 
/// using the element named 
/// <example>configProtectedData</example>.
/// </remarks>
public sealed class MyProtectedConfigurationProvider 
    : ProtectedConfigurationProvider
{
    /// <summary>
    /// Encryptes the configuration section XML
    /// </summary>
    /// <param name="unecryptedNode">The configuration 
    /// section XML to be protected</param>
    /// <returns>The encrypted form of the configuration 
    /// file section XML</returns>
    /// <remarks>This should not be called directly.  
    /// This is called automatically by the 
    /// <code>ConfigurationSection.SectionInformation
    /// .ProtectSection()</code> method</remarks>
    /// <exception cref="ArgumentNullException">Thrown 
    /// when the supplied node is null</exception>
    public override XmlNode Encrypt(XmlNode unecryptedNode)
    {
        if (unecryptedNode == null) 
            throw new ArgumentNullException("unecryptedNode");
        string encryptedData = Encrypt(unecryptedNode.OuterXml);
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.PreserveWhitespace = true;
        xmlDoc.LoadXml("<EncryptedData>" + encryptedData + "</EncryptedData>");
        return xmlDoc.DocumentElement;
    }
    /// <summary>
    /// Decryptes the configuration section XML
    /// </summary>
    /// <param name="encryptedNode">The configuration 
    /// section XML to be unprotected</param>
    /// <returns>The decrypted form of the configuration 
    /// file section XML</returns>
    /// <remarks>This should not be called directly.  
    /// This is called automatically by 
    /// the <code>ConfigurationSection.SectionInformation
    /// .UnprotectSection()</code> method</remarks>
    /// <exception cref="ArgumentNullException">Thrown 
    /// when the supplied node is null</exception>
    public override XmlNode Decrypt(XmlNode encryptedNode)
    {
        if (encryptedNode == null) 
            throw new ArgumentNullException("encryptedNode");
        string decryptedData = Decrypt(encryptedNode.InnerText);
        XmlDocument xmlDoc = new XmlDocument();
        xmlDoc.PreserveWhitespace = true;
        xmlDoc.LoadXml(decryptedData);
        return xmlDoc.DocumentElement;
    }
}

To use your custom provider you must first register it in the applications configuration file and then you can call it in a similar way

<configProtectedData>
    <providers>
        <clear />
            <add name="MyProtectedConfigurationProvider"
            type="MyProtectedConfigurationProvider, MyAssembly" />
    </providers>
</configProtectedData>

Tags:

Comments

1.
Harold Suggs Harold Suggs United States says:
Sunday, November 29, 2009 at 1:36 PM

<a href="www.refinancingamortgage.org">Refinancing a mortgage</a> is an option that I am doing right now.

2.
Micheal Blooms Micheal Blooms United States says:
Sunday, November 29, 2009 at 3:23 PM

Lovely good post. I just bumbled upon your blog and wanted to say that I have truly enjoyed reading your blog posts. Any way, I will be subscribing to your feed and I hope you post again very soon.

3.
Rhonda J. Cumbie Rhonda J. Cumbie Ireland says:
Wednesday, December 16, 2009 at 10:16 PM

Howdy, perhaps this post is a bit offf topic but in any event, i've been surfing around your site and it looks very neat. It is easy to see that you are passionate about your writing. I'm creating a new blog and I am struggling to have it look good, and supply excellent articles. I have learned a much here and I look forward to additional updates and will be back.

4.
Poppy Hutton Poppy Hutton Ireland says:
Wednesday, December 16, 2009 at 10:16 PM

Howdy, maybe this is off topic but anyway, i've been surfing about your website and it looks truly great. You evidently know what you are talking . I am making a new blog and hard put to have it appear great, and offer excellent articles. I have discovered a lot on your site and I look forward to additional updates and will be returning

5.
Dave Dave United States says:
Monday, December 21, 2009 at 10:13 AM

The premier web resource on this, you'll find all the answers to your questions here.

6.
Gabriel Benitz Gabriel Benitz United States says:
Monday, December 21, 2009 at 12:14 PM

<P>One of the biggest problems caused by the recession is lack of disposable funds. You run the risk of having unhappy loved ones if you don't find that special gift. With Christmas just days away, you may find yourself out of time and money. An excellent way to get instant money is a payday advance loan. </P><P>Qualfying is different for every lender and state. &lt;a href="www.bestpaydayadvanceloans.com"&gt;Best Payday Advance Loans&lt;/a&gt; lists every states regulations so you know exactly what the limits are in your area. They also search the Internet for&nbsp;different programs and list each&nbsp;company's&nbsp;criteria so you can&nbsp;save time and frustration by only applying at lenders where you&nbsp;have a chance of getting approved. &nbsp;</P>

7.
Sharon Sharon United States says:
Tuesday, December 22, 2009 at 6:55 PM

We have compiled the most complete guide to truths and myths about this.  Read on.

8.
Wan Hoffmaster Wan Hoffmaster United States says:
Tuesday, December 22, 2009 at 11:11 PM

Very interesting… as always! Cheers from Switzerland.

9.
Sammie Dethomas Sammie Dethomas United Kingdom says:
Wednesday, December 23, 2009 at 7:21 AM

This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work.

10.
Cayden Cayden United States says:
Wednesday, December 23, 2009 at 3:39 PM

You gave honest ideas there. I did a search on the issue and got most peoples will agree with your blog.

11.
Russell Clinger Russell Clinger People's Republic of China says:
Thursday, December 24, 2009 at 8:20 PM

hey, your post&nbsp;really aids, now i encounter the same problems, and i donot know how to work out the problem. thankgod i look yahoo and discovered your post, it helps me get rid of my trouble.
thanks againone thing, can i paste your entry on my site? i will add the source.regards!

12.
Ellamae Brooker Ellamae Brooker United Kingdom says:
Friday, December 25, 2009 at 4:10 AM

I just couldnt leave your website before saying that I really enjoyed the quality information you offer to your visitors... Will be back often to check up on new stuff you post!

13.
Aileen Aileen United States says:
Friday, December 25, 2009 at 8:42 AM

Do you accept guest posts? I would love to write couple articles here.

14.
Bethany Bethany United States says:
Friday, December 25, 2009 at 2:20 PM

I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog. I am sure my visitors will find that very useful.

Comments are closed