2

When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.

However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.

In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?

I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProvider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.

<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
    </CipherData>
  </EncryptedData>
</MiscCryptoData>
GaTechThomas
  • 5,421
  • 5
  • 43
  • 69

2 Answers2

1

You probably want to build a custom ProtectedConfigurationProvider. See Implementing a Protected Configuration Provider and How to: Build and Run the Protected Configuration Provider Example.

sisve
  • 19,501
  • 3
  • 53
  • 95
  • Thanks for the answer. I have looked into the custom provider, and while we can do it, we would prefer to be able to specify an alternative in the config file without a custom provider. At this point, I would just like to know whether the EncryptedData section will EVER ben anything other than tripledes-cbc if we use the standard providers. – GaTechThomas Jan 26 '11 at 01:25
  • There are only two providers in a default installation of .NET, RsaProtectedConfigurationProvider (the one you currently use) and DpapiProtectedConfigurationProvider. The later uses ProtectedData and can be machine-specific or user-specific. – sisve Jan 26 '11 at 04:24
1

I've just checked RsaProtectedConfigurationProvider with the Reflector and as I found out there is nothing you can do to change tripledes-cbc to anything else.

So you have to write your own ProtectedConfigurationProvider if you want to use AES encryption. You may want to use the Reflector to give you a good start.

Regent
  • 5,502
  • 3
  • 33
  • 59