3

I'm trying to encrypt the connection string on a windows app that's distributed on several servers (similar to a web farm, I'd think). The connection string is actually in a separate file called "ConnectionStrings.config" I'm doing this as a remote desktop login using my domain/user account, which currently has admin privileges.

  1. Reference my Connection Strings to an external file "ConnectionStrings.config"

    <connectionStrings configSource="ConnectionStrings.config"/>

  2. Copy ConnectionStrings.config to new file called web.config

  3. Add the open and close <configuration> tags
  4. Add the <configProtectedData> section

  5. Now my web.config looks like this:

    <!-- This file contains the connection string referenced by the app.config file --> <configuration> <configProtectedData> <providers> <add keyContainerName="SecurityKeys" useMachineContainer="false" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="AppEncryptionProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </configProtectedData> <connectionStrings> <add name="MyConnectionString" connectionString="Data Source=MyServer; Initial Catalog=MyDatabase;Persist Security Info=True;User ID=**MyId**;Password=**MyPwd**" providerName="System.Data.SqlClient" /> </connectionStrings> </configuration>

  6. Create the container in admin console

    E:\Program Files\MyApplication>aspnet_regiis -pc "SecurityKeys" -exp Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Creating RSA Key container... Succeeded!

  7. Encrypt the web.config in admin console

    E:\Program Files\MyApplication>aspnet_regiis -pef "connectionStrings" "." -prov "AppEncryptionProvider" Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded!

  8. Move the section back to the applications config file.

  9. Copy the encrypted section back to the ConnectionStrings.config file:

    <connectionStrings configProtectionProvider="AppEncryptionProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>**crazyencryptionstring!**</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>**anothercrazystring!**</CipherValue> </CipherData> </EncryptedData> </connectionStrings>

  10. Run the application - NO PROBLEMS!!!!

  11. Export the keys in admin console

    E:\Program Files\MyApplication>aspnet_regiis -px "SecurityKeys" ".\SecurityKeys.xml" -pri Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Exporting RSA Keys to file... Succeeded!

  12. Copy the key file to another server with the app.

  13. Import the key in admin console

    E:\Program Files\MyApplication>aspnet_regiis -pi "SecurityKeys" "SecurityKeys.xml" Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Importing RSA Keys from file.. Succeeded!

  14. Copy the new ConnectionStrings.config file which, I thought, would use the imported key

  15. Run the application (same login as when I did the import) - UGH, Failed

    Failed to decrypt using provider 'AppEncryptionProvider'. Error message from the provider: The RSA key container could not be opened. (E:\Program Files\MyApplication\ConnectionStrings.config line 4)

  16. Run the application as Administrator - Failed same result.

  17. Change permissions to be very open

    E:\Program Files\MyApplication>aspnet_regiis -pa "SecurityKeys" "EVERYONE" -full Microsoft (R) ASP.NET RegIIS version 4.0.30319.18408 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Adding ACL for access to the RSA Key container... Succeeded!

  18. Run it and .... same issue

  19. Ask SO for help!

MORE INFO

OK, perhaps this output from ProcMon will give further insight to someone to help me. I've added some filtering and compared the working non-encrypted version to the crashing encrypted version. The filters are set to Include only my application and Exclude any of the following results:

  1. Success

  2. Name Not Found

  3. End of File

  4. Reparse

  5. File locked with only readers

  6. Buffer Overflow.

This is what I'm left with - all crypto stuff!!! Obviously, dm0747 is me and the application has files in E:\POWERWeb\General

enter image description here

fldavem
  • 145
  • 1
  • 1
  • 10

0 Answers0