App.Config - Enterprise Library - Security Issues

Hot Topic

Need HELP in understanding the power of ASP.NET/C#
Extended Properties on SqlCommand and SqlParameter
Show Recieved Phone Number On PC?
Generating sql query using C# code
LAN Search
Find DataRow in DataRowCollection
Hashtable insert failed. Load factor too high - NET 2.0 bug ?
ASP.Net 2.0 ASPX file is cached? or not in sync??
dataset throwing arithmetic exception
Download and import a zip file from Internet

.NET Development

XSLCompiledTransform error
Accessing XML files via network shares
Max date
Event subscribers disappear after inactivity
c# performance
Retrieving unique Terminal IDs
How to retreave Name of Element When reader returns a type of Text?
database binding cascade dropdown objects
problem with mobile application
get file from remote machine using WMI

App.Config - Enterprise Library - Security Issues

Hi guys,

I am just trying educate myself on the usage of the Cryptography Application Block from the Enterprise Library. When you select a symmetric algorithm and then define a key file using the Enterprise Library EXE, it modifies the contents of your application's app.Config file.

When examining the app.Config file, I can tell the name of the symmetric algorithm used and the location of the keyfile.

Forgive my noob understanding but doesnt this pose as a security risk Since the location and the name of the symmetric algorithm are presented in clear text

How does one go about protecting this type of sensitive information within the app.config file.

Is there an enterprise library method that I could use to encrypt this section of the app.config file

My last question how does one use ConfigurationManager to extract the value of the SymmetricProvider key in the app.config file

Any feedback will be appreciated.
Thanks
V

Answer this question

App.Config - Enterprise Library - Security Issues

  • CodeDjinn

    whoever reads this post, well the above method works fine when encrypting enterprise library related sections within the app.config file. I have to say I am surprised to see it actually works. I wrote a small program which uses the cryptography application block and it embedded the securityCryptographyConfiguration section within the app.config. I used the above code to encrypt the securityCryptographyConfiguration section. My application seems to located the key file and decrypt my data.

    David Hayden is a legend.

  • julien talois

    anyone

  • kumarpavan

    Well its been a while since I visited this problem. Today I was browsing through codeplex and decided to pay David Hayden's blog a visit. Behold he had an archived blog that answered my question. Essentually within the Configuration class that is a method that can encrypt certain sections of a app.config file. Here is the code snippet from his blog, if one day that page disappears.

    Configuration config =
          ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
    ConfigurationSection section     = config.GetSection("connectionStrings");
    if (section != null)
    {
          if (!section.IsReadOnly())
      {
        section.SectionInformation.
            ProtectSection(    "RsaProtectedConfigurationProvider");
        section.SectionInformation.ForceSave     = true;

        config.Save(ConfigurationSaveMode.Full);
      }
    }
    Here is the link : http://codebetter.com/blogs/david.hayden/archive/2006/03/11/140659.aspx

    However, if a enterprise library section within the app.config file is encrypted how does enterprise library react I have no idea. Unless before you make calls to the enterprise lib routines you decrypt it then after using it encrypt it... too much of a hassle.

    I hope this helps someone.

  • Todd Biggs - Windows Live

    The patterns & practices community will probably be better able to answer this:

    http://www.codeplex.com/entlib/Thread/List.aspx TagName=Cryptography%20Application%20Block

    Thanks.
  • App.Config - Enterprise Library - Security Issues
Answer this question