My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, March 7, 2004
« Life-cycle developments fail security | Main | The Foundation of Belief .... »

As part of my "Defenses and Countermeasures" presentation at the D.C. DevDays, one of the things that I talked about was how to properly secure connection strings.

The options ranged from encrypting the connection strings and storing the key in an ACL'd registry key to using DPAPI to encrypt the connection string. The recommendation was to use DPAPI.  As noted during the discussion, the primary advantage of DPAPI is that it offloads the task of key management to the operating system.

But there is a catch if your deployment environment is a web farm.

You see, DPAPI is keyed to a machine. Which means that a DPAPI encrypted string that is created on one machine will NOT work on another machine.  What this means from a deployment perspective is that the use of DPAPI to encrypt connection strings breaks XCOPY deployment.  You simply cannot replicate the key that has been created on one node across all nodes of a web farm.  Instead, what you will have to do is create the encrypted connection string on each node of the web farm at deployment time.

Security is all about trade offs.  In this case, the benefit of greater security combined with the off loading of key management to the OS comes at the cost of administrative overhead at deployment.

Tags:: Security
3/7/2004 8:52 PM Eastern Standard Time  |  Comments [9]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
Actually, there's another solution, which is to use the User Store, rather than the Machine store, for DPAPI, as discussed at:
<br>
<br><a target="_new" href="http://tinyurl.com/yrqhb">http://tinyurl.com/yrqhb</a>
<br>
<br>(see the section entitled &quot;Web Farm Considerations&quot;)
<br>
<br>According to that, if you use the User Store with a roaming user profile, you can decrypt the data on any computer on which that profile can be loaded. This does, however, require the extra step of loading the profile, which is something that, according to what I've read, ASP.NET does not do for you automatically.
<br>
G. Andrew Duthie
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
A roaming user profile assumes the existence of a Domain that the machine is part of. I am sure that would work fine in an Intranet scenario. The issue that I see is a web farm that is Internet facing that lives in a DMZ. All too often in such a configuration, these hardened machines are not part of a domain structure. In which case the user profile option breaks down.
<br>
<br>Another option, beyond the one that Andrew pointed out can be found @
<br>
<br>How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
<br>
<br><a target="_new" href="http://tinyurl.com/368dk">http://tinyurl.com/368dk</a>
<br>
<br>As to whether or not this option is used versus the machine store with a privatized entropy value would depend on the needs of the application.
<br>
Anil John
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
Good points. I believe the User Store can be used in place of a machine store even if the machine is not part of a domain. The only requirement is that the same account exists on each machine in the farm and that the MasterKeyIterationCount value in the registry is the same for each machine. When you call LoadUserProfile you can either load a local user profile or a roaming user profile.
Paul Murphy
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
Ah, That is good to know.
<br>
<br>Thanks Paul.
Anil John
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
Paul, are you sure about it working in a non domain situation? It's my understanding that DPAPI uses the hashed user password for the user account as the basis for the encryption key. Even if the same user name existed on each system the password would be differant.
<br>
<br>DPAPI Architecture overview:
<br><a target="_new" href="http://tinyurl.com/cnul">http://tinyurl.com/cnul</a>
Peter Thomas
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
From your link regarding the user store -
<br>
<br>&quot;Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-derive the key and unprotect the data.&quot;
<br>
<br>That is making me second guess my assumption. Having not implemented in a non-domain environment I can't say with authority. I will give it a shot though and post back. Stay tuned!
Paul Murphy
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
Preliminary tests on seperate VPC's with local user accounts show success! I'm going to test on seperate physical machines next and will post results to my site.
Paul Murphy
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
I have been using the DPAPI for quite some time now with the USER STORE and different user accounts in each environment
<br>
<br>It is great for isolating data from one environment to the other (ie DEV TO QA TO PRODUCTION). Data that is encrypted in development is not encrypted the same in production. Therefore, sensitive data is secure from malicious developers.
<br>
<br>Shaun
Shaun McDonnell
Sunday, May 8, 2005 12:06:50 AM (Eastern Daylight Time, UTC-04:00)
I am having problems with DPAPI User Store. I have followed all the How-To guidlines of setting up the DPAPI User Store. In brief:
<br>
<br>1) I have a domain account that I have provided leat privildged access rights.
<br>2) I have created the COM+ DPAPI Comp that runs under the least privildged domain account
<br>3) I have created the windows service that loads the profile and calls the COM+ component to load the profile.
<br>
<br>I have the same setup on two machines. Every time I encrypt something on one machine, I cannot decrypt under a different machine even though I am running under the same account. I always end up getting &quot;Key not valid for use in specific state&quot;
<br>
<br>Help please
<br>
<br>thx.
<br>
<br>
Omar Sal
Comments are closed.