For ASP.NET developers, sensitive data that resides in configuration files such as Web.config should be protected from prying eyes through encryption. Although the .NET Framework provides a set of cryptography classes, a more elegant and efficient approach is to use the Data Protection API (DPAPI) built into the Windows 2000 and Windows XP operating systems. Let’s see how you can take advantage of the DPAPI in your ASP.NET applications.
DPAPI 101
Starting with Windows 2000, Microsoft began including an API to perform application-level encryption and decryption of data. This API consists of two functions, CryptProtectData and CryptUnprotectData, exposed by the Crypt32.dll as a part of the Crypto API. These two functions use the time-tested Triple Data Encryption Standard (TripleDES) algorithm to protect data. TripleDES is a symmetric algorithm, meaning that it uses a single secret key for both encryption and decryption.
Since TripleDES requires a key, the DPAPI uses either a key derived from the credentials of the currently logged-on user or a machine-wide key that can be used by any process running on the machine. Although the former is a more secure approach, the latter can be used for server-based applications such as ASP.NET when untrusted users are not allowed to log on to the machine. The key can be optionally augmented with an application-specific secret referred to as secondary entropy.
More information
For more on how the DPAPI uses keys, see “Windows Data Protection” at MSDN.
As you can imagine, the benefits of using the DPAPI are not only that applications get a strong encryption algorithm but also that they do not have to handle, protect, or remember the secret key value.
DPAPI and ASP.NET
So how does this affect ASP.NET developers? In ASP.NET applications, it is a common practice to place application configuration data, such as connection strings and file paths, in the Web.config file placed in the application’s virtual directory. ASP.NET protects this file from HTTP GET requests using an HTTP handler called HttpForbiddenFileHandler, configured in the Machine.config file. But this data should ideally be encrypted, especially if the connection string, for example, contains a user name or password.
To encrypt the data in Web.config, ASP.NET developers often turn to the cryptography classes in the System.Security.Cryptography namespace as described in this Builder.com article. Although these classes expose both symmetric and asymmetric algorithms, they do not provide automatic key management as does the DPAPI. As a result, a simpler approach is to wrap the DPAPI in a managed class that can be called from ASP.NET.
The code to wrap the DPAPI and use it from ASP.NET has been discussed in books such as Writing Secure Code by Michael Howard and David LeBlanc and in articles published on MSDN.
Leave a comment