Could somebody please do a rundown of how to programmatically encrypt a config-file in .NET, preferably in C#.
What I would like to do is do some kind of check on an application's startup to see if a section is unprotected, and if it is, then encrypt it. This for both settings and connection-strings.
Also if anyone could list the types of encryption-providers and what is the difference between them.
I don't know if the code for doing this in a normal WinForms-application is transparent to doing this in ASP.NET.
To summarize the answers and what I've found so far, here are some good links to answer this question:
Encrypting Configuration Information in ASP.NET 2.0 Applications - 4GuysFromRolla.com
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - MSDN
Please feel free to complement with other links, maybe some to WinForms- or WPF-applications.
There is a good article from 4 guys about Encrypting Configuration Information in ASP.NET 2.0 Applications
Hope this helps
The solution at below site working fine for me.
http://www.a2zmenu.com/Blogs/CSharp/How-to-encrypt-configuration-file.aspx
#TK: a hashing algo can only be 'guessed', not reverse engineered. One can only reconstruct the input to a hash value by completely guessing the input (apart from collisions, that is) This can be done by a rainbow crack for example (see an implementation of a rainbow cracker here)
I would say that a 3rd party encryption tool is not safer than the .NET framework encryption algorithms, these libraries just help you doing your job faster
I haven't used it myself, but the Microsoft Enterprise library has good encryption support that will possibly suit your needs:
http://msdn.microsoft.com/en-us/library/cc309503.aspx
Related
The question about storing connection string in safest way.
My current approach (Don't laugh)
1. Wrote RSAEncryption program and passed connection string to generate cypher.
2. Stored Cypher and private key in Resource file
3. Runtime retrieved encryption file again.
My concern of using config file
- I am creating library so projects who will use my dll will need to copy my config file which I dont want
Please tell me best practice to store connection string inside the dll.
Regards,
Omkar
There is a built in mechanism in .NET to encrypt sections of config. The beauty is you can use DPAPI and have the machine itself create the key, so nobody knows what it is except Windows. The best thing is you get this pretty much for free (small learning curve) and the learning curve is easily handled with a quick Google search on encrypting configuration files. May not fit all scenarios, but it is more likely to be secure than a quickly envisioned alternative.
The only issue here is if this is shrinkwrap ware (ie, you are selling software), but there are ways to handle that by having the install require network and adding the bits they can't know while you encrypt only go into memory during install. :-)
I am in need of a PGP service for .NET that will provide the following:
Encryption/decryption of files provided as byte arrays and/or streams (e.g. writing to hard drive and having the service read it is unacceptable)
Use of arbitrary keys passed in as byte arrays and/or streams
Needs to work for a headless service running on a server with nobody watching it (no modal popups or user input required)
We've felt out a couple of products but not been totally pleased with how any of them worked. Are there any suggestions? Thanks!
It's hard to guess what you could try as there are not much OpenPGP implementations for .NET. Namely, OpenPGPBlackbox package of our SecureBlackbox product is the only comprehensive self-contained implementation for .NET (BouncyCastle offers something as well, but they seem to be limited to older RFC 2440). You are welcome to check OpenPGPBlackbox and if you have problems with it, contact our technical support as described on product pages.
I want to hide app.config. There are some things like webservice address that shouldn't be visible to user. Maybe it`s some way to put this config in resources?
Thanks
I think that encrypting app/web config would be a better option.
See this topic for more info Encrypting appSettings in web.config
Also codeproject has a plenty of articles.
To the user of the code? To the application user? This question is very generalized and not specific.
Try to figure out whether the settings in your app.config file can be applied programmatically.
The most settings in the .NET framework can be used declarative and programmatically.
If you are really concerned about end-users snooping into the configuration details of your program, it will be very hard to hide such information (even if it's contained in code since it can be reverse compiled using tools like Reflector). You can only make it harder by applying some encryption scheme, like obfuscation that encrypts the internal string table of your assembly. Then again, it's easy to use a packet sniffer tool to obtain the remote URI your program is communicating with.
I want to work on the Rijndael algorithm using C#. Can anybody help me with this please?
I'm assuming you mean the Rijndael encryption algorithm - in which case RinjdaelManaged would be of use. The MSDN documentation (previous link) has examples, or there are lots of other references, for example see here.
I see (comments to other reply) that you are looking at implementing this yourself... some thoughts:
don't
why?
don't
Unless this is purely for interest, stick to the existing implementation. It will eat time, and potentially introduce security weaknesses. I can't think of a good reason to rewrite this.
sorry guys, but I just can not resist
from http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
If you just need a working implementation check out the Rijndael Documentation on MSDN. The Rijndael implementation looks pretty convenient to interface with.
It's of course a different story if you are trying implement it yourself.
I am looking into the same that as per brian.
But the problem here is that all the rijndael samples available in the net are mostly using a Text File but is there any way of doing it in a Online Mode where when i get the data in the text box i convert it and put directly in to the database.
Any Hints on this would be much better and all the samples are defining the key from the Rijndael class itself, can't we provide the Key of our own.
cheers
Biju
Could somebody please do a rundown of how to programmatically encrypt a config-file in .NET, preferably in C#.
What I would like to do is do some kind of check on an application's startup to see if a section is unprotected, and if it is, then encrypt it. This for both settings and connection-strings.
Also if anyone could list the types of encryption-providers and what is the difference between them.
I don't know if the code for doing this in a normal WinForms-application is transparent to doing this in ASP.NET.
To summarize the answers and what I've found so far, here are some good links to answer this question:
Encrypting Configuration Information in ASP.NET 2.0 Applications - 4GuysFromRolla.com
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - MSDN
Please feel free to complement with other links, maybe some to WinForms- or WPF-applications.
There is a good article from 4 guys about Encrypting Configuration Information in ASP.NET 2.0 Applications
Hope this helps
The solution at below site working fine for me.
http://www.a2zmenu.com/Blogs/CSharp/How-to-encrypt-configuration-file.aspx
#TK: a hashing algo can only be 'guessed', not reverse engineered. One can only reconstruct the input to a hash value by completely guessing the input (apart from collisions, that is) This can be done by a rainbow crack for example (see an implementation of a rainbow cracker here)
I would say that a 3rd party encryption tool is not safer than the .NET framework encryption algorithms, these libraries just help you doing your job faster
I haven't used it myself, but the Microsoft Enterprise library has good encryption support that will possibly suit your needs:
http://msdn.microsoft.com/en-us/library/cc309503.aspx