使用受保护的配置提供程序加密配置信息 [英] Encrypting configuration information using protected configuration provider
问题描述
使用受保护的配置提供程序加密应用配置文件中的配置信息时,
使用什么加密?
使用什么语法和密钥加密和解密信息?
更新
好的,我已经阅读了Sani Huttunen提供的链接,并阅读了这些这里和这里。
所以RSAProtectedConfigurationProvider使用TripleDes和RSA加密,
DpapiProtectedConfigurationProvider使用TripleDES。
RsaProtectedConfigurationProvider使用机器帐户或用户帐户,
DpapiProtectedConfigurationProvider使用用户的登录密码作为加密和解密的关键。
我看到这将适用于asp.net网络应用程序。但是Windows应用程序怎么办?
我是认为我所有的连接字符串应该保存在app.config文件中,然后使用受保护的配置提供程序进行加密。但是如果您将winforms应用程序部署到另一台计算机,则无法解密connectionstring,因为该密钥是基于开发人员的登录密码而不是密钥文件中的。与应用程序一起部署。或者如果密钥文件与应用程序一起部署,那么任何人都可以解密app.config文件。
这是正确的吗?那么使用这种方法有什么意义呢?
在部署的Windows应用程序的app.config文件中保护信息的方法是什么?
您的winform应用程序试图解决什么问题?
您有两个冲突的问题。您需要将应用程序分发给不受信任的人。并且您需要与sql服务器的可信连接。
即使您加密了连接字符串,如果您有解密密钥存储在同一台机器上,那么您的用户可以反编译您的应用程序,是
即使连接是只读的,那么它仍然容易受到SQL注入攻击。
什么可能是一个更好的解决方案是要有一些安心的api。这将给您的用户一个很好的定义,他们可以做的事情。然后,您可以管理用户和他们允许做的事情(即,可以更新他们的详细信息,但不能更新其他人,但仍可以阅读每个人的公共统计信息)。
看看 http: //wcf.codeplex.com/wikipage?title=WCF%20HTTP ,以方便您创建安全的api。
(如果您再提供一些详细信息,我可以使用可能更适合您需求的解决方案修改我的答案。)
When using a protected configuration provider to encrypt configuration information in a app config file, what encryption is used?
What alogorithm and key is used to encrypt and decrypt the information?
Update
Ok, i've read the links provided by Sani Huttunen and read these here and here.
So the RSAProtectedConfigurationProvider uses TripleDes and RSA encryption and
DpapiProtectedConfigurationProvider uses TripleDES.
RsaProtectedConfigurationProvider uses the machine account or the user account and DpapiProtectedConfigurationProvider uses the user's logon password as the key for encryption and decryption.
I see this would work fine for a asp.net web app. But what about windows applications?
I was lead to believe that all my connection strings should be saved in the app.config file and then encrypted using a protected configuration provider.
But if you deploy your winforms app to another machine it would not be able to decrypt the connectionstring becuse the key was based on the developer's logon password and saved in a keyfile not deployed with the application. or if the keyfile is deployed with the application then anyone can decrypt the app.config file.
Is this correct? So what's the point in using this method?
What's the method for protecting information in an app.config file for deployed windows applications?
What problem is your winform app trying to solve?
You have two conflicting problems. You need to distribute an app to someone who is untrusted. And you need a trusted connection to the sql server.
Even if you encrypt the connection string, if you have the key to decrypt it stored somehow on the same machine, then your user can decompile your app and work out what it is.
Even if the connection is read only then it is still vulnerable to SQL injection attacks.
What may be a better solution is to have some restful api. That would give your user a well defined api of things they can do. You can then manage users and the things they are allowed to do (i.e., can update their details but not someone else, but still can read everyone's public stats).
Have a look at http://wcf.codeplex.com/wikipage?title=WCF%20HTTP for an easy way to create a safe api.
(If you give some more details, I can modify my answer with a solution that may work better for your needs.)
这篇关于使用受保护的配置提供程序加密配置信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
