CodeBetter.Com
Sign in | Join | Help
in Search
CodeBetter.Com
RSS 2.0 via Feedburner
           Do you Twitter? Follow us @CodeBetter

Jay Kimble -- The Dev Theologian

Philosophizing about the .Net religion

Security Best Practice?!!?

Ok, I just found something that cause me to yell "AAAAACCCCCKKKKK!!!!!!"  While trying to resolve an issue with an configuration/encryption library that we use here at work, I remembered reading a table of contents of a book I own that mentioned a section called "How to Encrypt a ConnectionString in the Database."  When I read the section today (the book is available online) I just about jumped out of my skin!  Here's the link - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT00.asp

It's a section in a book from MS called Building Secure ASP.NET Applications.  And it's not just any book... it's one of the PAG books... the ones MS is publishing to show us all best programming practices! 

So you don't have to read the whole section let me summarize.  They show you how to use DPAPI... they show you how to create an encryption library... they show you how to encrypt strings in the registry using the encryption library.  After encrypting the string you are left with an IV (salt) and an encryption key... what do you do with those?  You store them in the registry right along side the encrypted value!  This is the equivalent of locking your house up with an electronic number pad lock and the biggest deadbolt lock you can find... and then hanging the key beside the door with a sticky note containing the keypad code...

Some better choices would be to (I'm not a PAG guy nor do I claim to be an expert on Best Practices)
A) Store the key and IV in different places.. The IV could go in the Web Config... the key could be read from a file or (yuck) stored in the code...
B) Better yet, use DPAPI... I know it has an issue within ASP.Net apps (I think), but now you have a key that is derived from the machine
C) I believe that the RSA encryption algorithm can use a key in the machine store... so you could get something similar to DPAPI with it...

The point here is that my suggestions accomplish the task of hiding the value from someone (legitimate or illegitimate) browsing the registry.  The Best Practice outlined just scares me...  Maybe it's ok...


Published May 17 2005, 07:52 AM by Jay Kimble
Filed under: , , ,

Check out Devlicio.us!

Our Sponsors

Free Tech Publications

This Blog

Syndication

Tags

News

CodeBetter.Com Home
Current Threat level
Terror Alert Level

About CodeBetter.Com

CodeBetter.Com FAQ
Our Manifesto
Advertisers should contact Brendan

Subscribe

Google Reader or Homepage
del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects

WSMQ - Brendan Tompkins
Sarasota Web Design - David Hayden
Patterns & Practices - David Hayden
dotMath - Steve Hebert
EZWeb - Jeffrey Palermo
Structure Map - Jeremy D. Miller
StoryTeller - Jeremy D. Miller
The Code Wiki - Karl Seguin

 

Friends of CodeBetter.Com

Red-Gate Tools For SQL and .NET
 BlogJet
CodeSmith 3.0
 SourceGear Vault
Telerik
 ComponentArt
VistaDB
JetBrains - ReSharper
 Beyond Compare
 .NET Memory Profiler
NDepend
AliCommerce
Ruby In Steel
SlickEdit
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com
DevExpress <-- NEW Friend!


Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

Community Server (Commercial Edition)