eWorld.UI - Matt Hawley

Ramblings of Matt

Securing Connection Strings

March 24, 2004 19:18 by matthaw

On Monday, my team at work got together and a pow-wow about security and how we can be more pro-active in developing applications.  As we went through sessions 2 & 3 from DevDays, we had a lengthly discussion on how we should proceed in securing the connection strings.  As most of you know, the OpenHack, and "best" method for securing connection strings, is by using DPAPI to encrypt it, and then store that encrypted string in a ACL'd registry key.

As this is a nice security model to follow, it doesn't work all that well in the development arena, when you have multiple machines that are hosting some version of an application.  As we discussed, we found that it would cause more of a headache when setting up a new application, as we'd have to create those ACL'd registry settings, do the encryption, etc. etc. manually.  Sure, a small application or batch could be used, but its still a pain to have to remember that you need to do it on each machine.

Another major item concerning storing the connection string in the registry, was that it breaks (what we think) the web application line.  By storing specific settings in the registry, you're starting to walk into the windows application arena.  It just doesn't make sense to us to provide that form of security when we feel its crossing that line.

Now, you may be starting to disagree with me, and thats fine.  We're still going to take an approach to encrypt the connection string in the Web.Config file, but not use DPAPI.  But - why wouldn't we want to use DPAPI, you ask?  Well, DPAPI is encryption/decryption is specific to the machine, thus decrypting a string on Machine B would not decrypt properly that was encrypted on Machine A.  (If my understanding is incorrect, please let me know - as this is a major setback for using DPAPI for us).  So, whats the big deal...well, you're going back to the model of having to manually configure each machine again, which isn't that easy to do in some environments.  So, we feel that using a specific encryption algorithm with a key is the best method, since it could be ported from machine to machine without having any problems.

I do have to agree, that if you wanted to take that extra security step by securing your encrypted connection string in a ACL'd registry key, that its a wise choice, however in most cases, its just overkill. Also, you won't ever have the option to do something like that on a shared hosting environment, so most web applications that single developers have, don't provide that form of security.

Well, I think thats all for my rant about securing connection strings, I'd love to hear your feedback.



Categories: General
Actions: E-mail | Permalink | Comments (8) | Comment RSSRSS comment feed

Comments

March 24. 2004 20:27

Are you going to share with us how you plan to store the encryption key?  For me, that is the primary motivation to use the DPAPI.

I've developed a small "framework" for using the DPAPI in web applications, which I plan to write about on my blog soon.  With a little help, it isn't so bad to work with.

Josh

March 24. 2004 20:33

Don't know yet, we've not come to that point.

Matt Hawley

March 24. 2004 22:13

I completely agree with you.  Crossing that line detroys the ease in which you can port a web application.  If you are using SQL Server as your database, then using windows authenticated security coupled with standard encryption of the connection string is sufficient in my opinion.  Even if someone could get a hold of the connection string AND decrypt it, all they would get is the name of your SQL Server and database name.

http://

March 24. 2004 22:47

It's really hard to give you much useful feedback without knowing your application's security requirements or the threat modeling that you've done, but a few comments come to mind:



Your first issue (the difficulty of implementing the entire encryption infrastructure in development) might be addressed with an environment-sensitive config setting. If the code is running in the dev environment, grab the connection string from web.config, otherwise use the secure route to it.



I'm totally confused by the particular aversion to the registry that you relate.  Unless you're planning on deploying your app on another platform, what's the problem?  Web apps, Winforms Apps, Windows Services, and console apps can all use the registry.  What's the difference?



I hope you understand the difference between the encryption scheme you are proposing and one that involves DPAPI. You are correct in assuming using DPAPI requires peforming the encryption/decryption in a specific context (either user or machine). The problem with your solution is that anyone who gains read access to your virtual directory will be able to decode your connection string (because they will have the program code, the encrypted value and the key). Using DPAPI raises the bar by requiring them to inject code into your process or run under the. Ok, I've simplified the issues a bit, but that's the fundamental trade-off.



Be careful about suggesting "best" approaches to security. You have to be very explicit about your environmental assumptions, app requirements, and likely threats

http://

March 25. 2004 00:56

The decision for not using the registry is not mine, it was my boss...and frankly, I agree with him.  I understand that it can use it, but why should it.  It just adds a level of complexity for setting up applications, and some of our apps are currently hard to setup anyways.



After attending the security briefing today, and speaking with the instructor...I will be going forward suggesting to use DPAPI for encryption - mainly for the reasons stated above.  The only problem is that multiple configuration settings need to be applied depending on the machine its running on.  I think thats partially trivial, and an added benefit of the security we would get.



I never stated or suggested the "best" approach to strategy, I was merely regurgitating it from the DevDays presentation on what the "best" methods for this type of thing is.

Matt Hawley

March 25. 2004 06:16

Some thoughts on storing encrypted things in ACL registry keys.



www.lazycoder.com/weblog/wp-trackback.php/46">www.lazycoder.com/weblog/wp-trackback.php/46

Scott

March 27. 2004 06:05

Personally I think encrypting connection strings adds an unnecessary level of complexity.  We use integrated security at work, so the most an attacker could get is server name and database name.  I guess I could get completely paranoid and hide those too, but honestly, I just don't see the point.

Jeff Gonzalez

April 26. 2004 18:50

Scott's link to lazycoder.com draws an HTTP 404!

Bob Baker

Comments are closed

Copyright © 2000 - 2024 , Excentrics World