Could somebody please do a rundown of how to programmatically encrypt a config-file in .NET, preferably in C#.
What I would like to do is do some kind of check on an application's startup to see if a section is unprotected, and if it is, then encrypt it. This for both settings and connection-strings.
Also if anyone could list the types of encryption-providers and what is the difference between them.
I don't know if the code for doing this in a normal WinForms-application is transparent to doing this in ASP.NET.
To summarize the answers and what I've found so far, here are some good links to answer this question:
Encrypting Configuration Information in ASP.NET 2.0 Applications - 4GuysFromRolla.com
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - MSDN
Please feel free to complement with other links, maybe some to WinForms- or WPF-applications.
There is a good article from 4 guys about Encrypting Configuration Information in ASP.NET 2.0 Applications
Hope this helps
The solution at below site working fine for me.
http://www.a2zmenu.com/Blogs/CSharp/How-to-encrypt-configuration-file.aspx
#TK: a hashing algo can only be 'guessed', not reverse engineered. One can only reconstruct the input to a hash value by completely guessing the input (apart from collisions, that is) This can be done by a rainbow crack for example (see an implementation of a rainbow cracker here)
I would say that a 3rd party encryption tool is not safer than the .NET framework encryption algorithms, these libraries just help you doing your job faster
I haven't used it myself, but the Microsoft Enterprise library has good encryption support that will possibly suit your needs:
http://msdn.microsoft.com/en-us/library/cc309503.aspx
Related
Could somebody please do a rundown of how to programmatically encrypt a config-file in .NET, preferably in C#.
What I would like to do is do some kind of check on an application's startup to see if a section is unprotected, and if it is, then encrypt it. This for both settings and connection-strings.
Also if anyone could list the types of encryption-providers and what is the difference between them.
I don't know if the code for doing this in a normal WinForms-application is transparent to doing this in ASP.NET.
To summarize the answers and what I've found so far, here are some good links to answer this question:
Encrypting Configuration Information in ASP.NET 2.0 Applications - 4GuysFromRolla.com
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - MSDN
Please feel free to complement with other links, maybe some to WinForms- or WPF-applications.
There is a good article from 4 guys about Encrypting Configuration Information in ASP.NET 2.0 Applications
Hope this helps
The solution at below site working fine for me.
http://www.a2zmenu.com/Blogs/CSharp/How-to-encrypt-configuration-file.aspx
#TK: a hashing algo can only be 'guessed', not reverse engineered. One can only reconstruct the input to a hash value by completely guessing the input (apart from collisions, that is) This can be done by a rainbow crack for example (see an implementation of a rainbow cracker here)
I would say that a 3rd party encryption tool is not safer than the .NET framework encryption algorithms, these libraries just help you doing your job faster
I haven't used it myself, but the Microsoft Enterprise library has good encryption support that will possibly suit your needs:
http://msdn.microsoft.com/en-us/library/cc309503.aspx
I'm using encrypt(string,key) and decrypt(string,key) for encryption in ColdFusion. Now what I would like to do is to encrypt in ColdFusion, but decrypt in asp.net C#. Can someone show me how to do this?
If this is my ColdFusion code:
encrypt("hello","abcdefgh")
decrypt(".....","abcdefgh"
What would the equivalent code in asp.net look like? Thank You.
According to Coldfusion's documentation,
The Standard Edition of ColdFusion installs a cryptography library with the following algorithms:
CFMX_COMPAT: the algorithm used in ColdFusion MX and prior releases. This algorithm is the least secure option (default).
Unless you implement the CF decryption algorithm in C#, you can't decrypt it. You would have to specify a different encryption algorithm, like 3DES, in order to decrypt it.
As Josh pointed out, if you do not specify an algorithm CF uses the default algorithm cfmx_compat. Unlike the standard algorithms such as AES, Blowfish, etcetera there is no library for it in .NET. To decrypt the value in C#, the .NET side would need to use a custom class. ( See here for my C# port of Railo's cfmx_compat class . )
That said, I would recommend against using cfmx_compat simply because it is a very weak algorithm. It is only included in CF for backward compatibility. You are much better off using one of the stronger algorithms like AES, Blowfish, etcetera in ColdFusion. Since those algorithms are standard, interoperability with C# (or any other language) will be much easier. See the links Al posted in the comments above for some examples.
The question about storing connection string in safest way.
My current approach (Don't laugh)
1. Wrote RSAEncryption program and passed connection string to generate cypher.
2. Stored Cypher and private key in Resource file
3. Runtime retrieved encryption file again.
My concern of using config file
- I am creating library so projects who will use my dll will need to copy my config file which I dont want
Please tell me best practice to store connection string inside the dll.
Regards,
Omkar
There is a built in mechanism in .NET to encrypt sections of config. The beauty is you can use DPAPI and have the machine itself create the key, so nobody knows what it is except Windows. The best thing is you get this pretty much for free (small learning curve) and the learning curve is easily handled with a quick Google search on encrypting configuration files. May not fit all scenarios, but it is more likely to be secure than a quickly envisioned alternative.
The only issue here is if this is shrinkwrap ware (ie, you are selling software), but there are ways to handle that by having the install require network and adding the bits they can't know while you encrypt only go into memory during install. :-)
I am in need of a PGP service for .NET that will provide the following:
Encryption/decryption of files provided as byte arrays and/or streams (e.g. writing to hard drive and having the service read it is unacceptable)
Use of arbitrary keys passed in as byte arrays and/or streams
Needs to work for a headless service running on a server with nobody watching it (no modal popups or user input required)
We've felt out a couple of products but not been totally pleased with how any of them worked. Are there any suggestions? Thanks!
It's hard to guess what you could try as there are not much OpenPGP implementations for .NET. Namely, OpenPGPBlackbox package of our SecureBlackbox product is the only comprehensive self-contained implementation for .NET (BouncyCastle offers something as well, but they seem to be limited to older RFC 2440). You are welcome to check OpenPGPBlackbox and if you have problems with it, contact our technical support as described on product pages.
I want to work on the Rijndael algorithm using C#. Can anybody help me with this please?
I'm assuming you mean the Rijndael encryption algorithm - in which case RinjdaelManaged would be of use. The MSDN documentation (previous link) has examples, or there are lots of other references, for example see here.
I see (comments to other reply) that you are looking at implementing this yourself... some thoughts:
don't
why?
don't
Unless this is purely for interest, stick to the existing implementation. It will eat time, and potentially introduce security weaknesses. I can't think of a good reason to rewrite this.
sorry guys, but I just can not resist
from http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
If you just need a working implementation check out the Rijndael Documentation on MSDN. The Rijndael implementation looks pretty convenient to interface with.
It's of course a different story if you are trying implement it yourself.
I am looking into the same that as per brian.
But the problem here is that all the rijndael samples available in the net are mostly using a Text File but is there any way of doing it in a Online Mode where when i get the data in the text box i convert it and put directly in to the database.
Any Hints on this would be much better and all the samples are defining the key from the Rijndael class itself, can't we provide the Key of our own.
cheers
Biju