Use of ConfigurationProviders to protect connection string


In a web application, an ideal way to store the connection string is using web.config file.
web.config consist of several section one of them is connectionStrings. Storing connection string in
a plain text can be risky to some extent. .Net framework has provided a mechanism using which you can protect
your connection string. So that if accidentally anyone breach into your system and get an access to web.config file,
the connectionString is not reachable to that person.

Let's take a look at this with an example;
1. Create a web site project using Visual Studio.

2. To have a connection string, we will use GridView control. Open default.aspx in design mode.
3. Go to toolbox and drag a gridview control onto the form and set it's datasource as per your database object.
4. The code behind will now look like this.
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
            DataKeyNames="DeptID" DataSourceID="SqlDataSource1" 
            EnableModelValidation="True">
            <Columns>
                <asp:BoundField DataField="DeptID" HeaderText="DeptID" InsertVisible="False" 
                    ReadOnly="True" SortExpression="DeptID" />
                <asp:BoundField DataField="DeptName" HeaderText="DeptName" 
                    SortExpression="DeptName" />
            </Columns>
        </asp:GridView>
        <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
            ConnectionString="<%$ ConnectionStrings:MySampleDBConnectionString %>" 
            SelectCommand="SELECT [DeptID], [DeptName] FROM [Department]">
        </asp:SqlDataSource>

5. web.config file will then be reflected with the <connectionStrings/> section which is in readable format.
6. Now to protect the connectionString, open default.aspx.cs file and add these 2 functions.
private void EncryptConnString(string protectionMode)
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        section.SectionInformation.ProtectSection(protectionMode);
        config.Save();
    }

    private void DecryptConnString()
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        section.SectionInformation.UnprotectSection();
        config.Save();
    }

7. In page_load function give call as,
Either
EncryptConnString("RSAProtectedConfigurationProvider");
OR
EncryptConnString("DataProtectionConfigurationProvider");

8. For DataProtectionConfigurationProvider, the connectionString section will be then modified as,

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>        <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAPZoPJPL7WU2bSGOa18BMVwQAAAACAAAAAAADZgAAqAAAABAAAAAfUh8QAdOcGZJJNc+9QTbJAAAAAASAAACgAAAAEAAAAPlnxynAFzHQ+uS2csFRjO+4AQAAtmWRrXO0QUf9a4haoioMng7gQuAyIBI2q0XJS3j4PwwVLRU+jLwg0CbvFjsrAg6uQG48ooiJO/IaRC9KGnPp2bAFSJZBDsE7UKGN9aa8tC1XqzEn4pzDKsybx1rlJUPE5pX+dfY/oa7PEbrNsqS0OcIiEFWJtvGlKFLmNAXN0CEiSz0AiMMIrqYtFZFNkJyCcqY7InuwqvburYnMTUX5NPco/zeJw+in3CcBaymsMc/9MPe5IwcKJBDOaH2ay8Rt+O3RXdvrCC0TalJlt/l2N4Hd3HPX/6YIUS2vWxIXlwiDT442sjLHUKFiXW2waDUHQx91vfDF9AxX4G4N3O0grr4CyG3OVz4KVHXskDqdStzCeKQQNeQp4et6ldrJjk50aHpmOlVYpV/ilhdanKDRYmwRSiHtv/F6VWyYBpa9MBbfKhS3fAX/pYohjesiUmUKz0J9h4T2Vkyd+WD6eiIMs/giPimaYtiwJFrh8fb1/9BbsPXfFU7dbh22P3s0BZI5cilQxcto/4aNgMhMmMAGRN23jEMK6kzTiLD75WSxnlMZryyr4UqUlaGdI0tLF+GB6Kqro7BmkQ8UAAAA64RcPSpRfxsAIuu5N+rLu92Dd7c=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

9. If you make use of RSAProtectedConfigurationProvider the section will look like,

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>dAlnD1WJk7imw0yfupREP4ifSHMaJm1cKHVwHQXPRoThnIVtTT3j+svOrELJeIV6gs+KuEdglhhQQo7VBlmQwfcOXxcqyd4/YjAE+Q45YSAI23gQ5Y5WOQU5pvyNyqZJR4XJN2eWzZ6ZBVyTVqiZ9fVEsamPF0R1oesh9CNMD+8=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>cEPk5EBd58MjInYNrh1oGHp5KH4S4vocyUrPnK5Z/aCaehRxio/XE+IK6GnrvpltQRlZv6fzy/RlrDDpI4uHF0U87kbIYCa9/RbBwlmg4Z14IMuCFpWuBjA+fBqkRiWTn5+6bXxHyS+3WC30kNumxKxSuk5unfvLdD5G7Ei4w1wITwR27zG9MIxJm3UYAYQ8FuDCLloXZEuULRyvB0F9z56eWxcpPU/8koYu7l6siZ5tKO674zZEOp1pzhDEElBcN1o0onFJ0rjJse3lOIAveRFQ5bg35MkjmEYYrSCKLQC1hJ6E4hvfvw==</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>




No comments:

Post a Comment