My application is on the shared Hosting.I've encrypted my Connection String programmatically to make it secure. However, the hacker still is able to decrypt the encrpted Connection String adding scripts into the DB.
Just wondering if there is a way to solve this problem? Many thanks !!!
.NET vulnerability discovered last September.
Make sure your .NET is up to date!
If the hacker gains control over your server, he can do anything your code can do. Can your code decrypt the Connection String? (apparently yes) Then he can do it, too.
Related
I created two methods Encrypt() and Decrypt() in my Web Application for Encrypting and Decrypting Data.
Now, I want to use same technique in my SQL Server Database for Decrypting Data.
Can anyone tell me how is it possible.
Please help!!
Thanks,
Rahul
Even though is theoretically possible to load your functions as SQLCLR, you will get key management wrong. Use SQL Server cryptographic functions and discard everything you wrote yourself. Use a proper key hierarchy.
Is it safe to write connection string in web.config in an ASP.net application.
The application will be using 2 databases and I think the connection string can be retrieved easily.
Can anyone please suggest a secure place(web.config or other file) for writting the connection string except encrypting it.
Web.config is the right place for this. You can encrypt the connection string if that's a concern for you. Encrypting the connection string in Web.config it's already supported in ASP.NET and it seems that you already know that...
Link for reference.
If your worry is the outside "hackers" stealing your web.config file, then it doesn't make a difference where you store it, since if they have access to the web.config file, they probably have access to any other location where you may store the CS anyways.
If on the other hand you want to protect from an internal threat, then try saving it into a separate file (even a simple text file will do) and give that file special access permissions that only allow you and the application access and noone else. Also, you may be able to do the same thing with web.config itself.
I am using personalization in my asp.net application. Personalization uses a connection string that it specifies in the web.config file.
Now My ConnectionStrings Section is protected and hence encrypted.
Everything else works fine without a single line of code to decrypt the connection string. But my Webpart Manager fails.
Somehow it is not able to decrypt the connection string. Now is there anywhere in the configuration manager or code that I can tell the Webpart Manager that the connection string is encrypted and that it needs to be decrypted using x encryption provider?
Please advise.
Thanks.
I just found out the answer to this question.
I was encrypting the connection string programmatically at runtime if it was not already encrypted.
We are three developers writing code. It was not running because I was encrypting it on my machine and checking it in and then the other developers couldn't decrypt it. It turns out it uses a machine specific key to encrypt it and can be decrypted only on that machine.
So if I keep a decrypted connection string in my web.config and run the code all the webparts will load correctly and everything because it would encrypt it at runtime on my machine and hence be able to decrypt it as well.
This problem won't arise in production because we will deploy the encryption code along with the un-encrypted web.config and then run the code. Once encrypted there, it will be able to decrypt it.
Thanks anyways...
I have a WinForms client that is sending encrypted data to a web service. The WinForms client creates a Symmetric RijndaelManaged sessionKey and also has a "hard-coded RSA asymmetric public key".
I am using the EncryptedXml class which makes it really easy to package up my data.
The Web Service has both the private and public keys "hardcoded" and can successfully decrypt the SessionKey and then use it to decrypt the actual data I am sending.
This is pretty much handled automatically by the EncryptedData class.
The problem I am having is that on the Web Service end when I want to reply, I can't seem to figure out how to get the SessionKey that was sent over.
Before I do any decrypting on the Web Service side, I can see the encrypted session key, but after I decrypt the XML, it's gone (and therefore I don't have any session keys for my reply).
Any ideas how I can get this unencrypted key?
The reason that you cannot see the session key is that it is automatically decrypted and used. Normally it is considered part of the XML. If you want to get at it, just use
encryptedxml.decryptencryptedkey
And you should be alright. Note that for all the less important security warnings, the code represented here is vulnerable to both man in the middle attacks and to a lesser extend to padding oracle attacks. It should help against most eavesdropping attempts though.
Finally, reusing a session key is considered pretty bad security practice too. If you reuse it, at least consider using an IV, e.g. a counter for each followup message.
I'm creating a site for distributing software to clients. We're implementing lots of security bells and whistles on it to reasure the clients that software they're running wont have been tampered with.
I'm toying with the idea of encrypting the files we upload to the server, but I'm not sure if there's much point conisdering the overhead it entails. The files are decrypted anyway when being transmitted to the client. As well as this, if a hacker gets into the server and replaces the encrypted files, they can also change any hashes we made of the files to check they havnt been manipulated.
So... is it worth encrypting the uploaded files?
You should sign rather then encrypt your files.
When using PKI, it is the act of encrypt (or encrypt a hash of) your file with your private key, instead of doing so with the receiver's public key.
Then everybody that download the file can verify that the file was not tampered with.
File encryption is useful when either you share a secret with your
receivers, or that you have their public key available. Typically it
is not useful in case of file distribution as you describe it.
I will answer with a question: what is the point in encypting files on the server when you don't have any control over what the clients will do with the decrypted versions anyway?
Oh security.
How can the client be sure they're talking to the correct server.
How can the server be sure they're talking to a legal client.
How can the user be sure they're not using a compromised client etc.
Is the server in your custody or is it a shared server. How volatile is the data and is datatheft an acceptable risk or not.
Please expand your current situation. Do you use encrypted communcation. Is the communcation over internal or external lines. Do you thrust the server support team.