Database connection string and other sensitive settings in protecting code Release Date: 11/18/2004 | Update Date: 11/18 / 2004alek Davis This article assumes readers to familiarize with C # and Visual Basic .NET Summary Protection Application Confidential (such as database connection characters) Strings and passwords) Requires many related factors, such as data of data, can get accessibility and how to get balance between security, performance, and maintainability, and so on. This paper explains the basics of data protection and compares several techniques that can protect the application settings. The authors discussed things to be avoided, such as hiding keys in source code, and using "local security agencies". In addition, he also proposed some effective solutions such as data protection API. This page Content Data Hide Restrictions Access to Data Access Encryption Data Trima Select Storage Encryption Data One-way and Bidirectional Encrypted Hash Algorithm Encryption Key Protection Admiral Keys Understanding Local Security Agencies Using DPAPI Hide Keys in Application Source Codes Independent Storage Small On the Developer News Group and the Online Forum, you often discuss issues related to protecting database connection strings, passwords, and other sensitive application settings. Although most professional security agrees to use software unable to hide confidential views, there are still some known technologies to provide adequate protection for most types of applications. All existing data protection methods are based on three basic technologies: hidden, access control, and encryption. These techniques can be used singly or in combination. Whether you decide whether you choose an existing technology or build your own data protection mechanism to protect your application confidential, your basic selection is limited to these three methods. In this article, I will explore the basics of data protection and compare techniques that can help you better manage confidential data. I will point out that situations are suitable for use, and the use of these techniques should be avoided. I will also provide a reference for code examples, tools, and APIs that can help you implement data protection mechanisms. Data hidden data is hidden sometimes called hidden preservation. If you rely on this technology, you assume that you only know where you know the sensitive information store, and you want others to find this. The advice here is that the application must also know how to access the data, so it is possible to ensure that confidential security will depends to a large extent on the ability of the application to protect this knowledge. The most commonly hidden sensitive application settings include application source code, profile, and windows. Registry. Data can also be stored in a weird location such as IIS metadata, universal data link (UDL) file, custom file. Simply hide data is usually only available (if present) security. In most cases, hackers are very easy to find your confidentiality. For example, the intruder may discover the location of the data by monitoring the system changes executed by the running application (see Figure 1). This can be implemented by utility (such as Regmon, Fileman and Diskmon on Sysinternals). Easy to compile the .NET assembly, simple and easy, can lead to a more serious threat. Using an anti-compiler such as anakrino or Salamander, the application source code can reverse engineering, thereby publicly sensitive data or application logic (see Figure 2). Limit access to data If access to data is limited, the location of the data does not need to be confidential. Instead, this technique depends on the technical function constructed in the operating system, which prevents unauthorized entities from accessing data. Typically, access restrictions are based on an identifier of a caller or aware of public confidence (see Figure 3). Access Control List (ACL), Microsoft Data Protection API (DPAPI) and independent storage use this technology to protect data. When used in proper use, restricted access is one of the most effective security measures, but unfortunately, this technique has limitations.
For example, for applications running in an anonymous user or in different user contexts, the access control based on the user ID is not large. Another problem based on identified access control is that other applications running in the same identification cannot be accessed to access each other. Figure 4 lists common issues related to identified access control. On the other hand, when the access control is based on the understanding of the confidentiality, it is a problem to protect the confidentiality. Other difficulties related to restricted access depends on the specific implementation. For example, it is difficult to manage ACLs in a large enterprise environment, and protected storage areas may require a caller with management privileges, which violates the minimum authority rules. Encrypted data When using encryption methods, hidden or controlled access to data is not the main purpose. Since the information is encrypted, for unauthorized intruders, the location of the information is known and can access it does not necessarily make the information available unless he finds the read key. Although encryption is a time-validated data protection technology, it cannot provide perfect solutions, but only the problem of transforming data into a problem that protects the encryption key. For any other type of sensitive data, it is to protect the encryption key using the same technique (hidden and access control). When you choose or build a data protection mechanism, you should measure the security vulnerability for potential threats. If your solution is considered in accordance with the basic data protection technologies discussed, it may be more easily evaluated. For example, if the stored database connection information contains the user's SQL credentials (see Figure 5), your data security is essentially dependent on file permissions (ACL), which is a restricted access. (To some extent, this also depends on the data hidden, but in this particular case, data hidden is very fragile security measures, because you don't need to spend too much energy to find UDL files.) Although ACL is in data protection It plays an extremely important role, but if the hacker is trying to obtain read permissions for the UDL file, then your SQL credentials will be leaked, and this is very important. Unless the level of potential threat is low or the data is not important, it should be avoided using only one data protection technology. Typically, the more technologies used by the solution are safer. Weighing choices As mentioned in many security experts, the best way to protect confidentiality is to do not save confidentiality. For example, if you want to protect the database connection string containing SQL credentials, you should consider not using SQL authentication. If the application can connect to the database server using Windows authentication (rather than SQL authentication), you do not need to consider protecting SQL credentials at all. Unfortunately, it is not always possible to avoid storage sensitive information. If you really need to store confidential data, you should start looking for the right solution by analyzing applications and their security requirements.
The following questions help you decide which option is best for you: • How important is the information you want to protect? When data is being destroyed, which loss can you expect? • Do you want to protect data to prevent which user access? Do you want to protect data from opportunistic hackers (for example, if you like access to information that is not allowed, isn't it intentionally attack the system's employee? Still protect data from malicious hackers (they are willing to spend time, energy and money to damage the security of the system)? What difficult do you think is a potential hacker to get your data? • Does your application really need to know unprysed text for sensitive data? • Do you want to protect database connection strings or want to manage other types of data? • How much logo is accessing your data? Is the application use a single user ID or use multiple user ID? • What version of the operating system must be supported? • Which is more important? The performance and security of the application is more important? Are you willing to sacrifice properties to get a safer application? • What is responsible for defining data? This is done by manual (e.g., using a text editor) or by programming? If the data is created by programming, is it to define the application of the application by using the application that uses these settings or other applications? • How many applications are available in your organization or company? If the application is not only one, is their requirements? Do you want to reuse a single solution that meets all applications or uses different data protection mechanisms for each application? • When deploying your application, how difficult your security is managed? Do you accept your solution for your application? Based on these questions, you may want to choose a best way. Before this article, I will analyze several data protection technology, which can be used for the most common applications, but first I will outline some things that should be avoided in any case. All methods for storing sensitive data in plain text are considered unsafe, because they will open data to try to obtain data source read rights (to do this may be more likely to be easier than you think). You should avoid saving undated data in a Windows registry, profile, com directory, stand-alone store, custom file, iIS metabase, and UDL files. In addition, it is absolutely not to store sensitive data in plain text. Absolute security may never reach, but sufficient security can be doubtedly realized. Some applications are required to require complex and non-traditional solutions, especially for banks, military secrets, law enforcement records, and scientific research. However, most of the solutions include the following three steps: encrypted data, using ACL limits access to encrypted data, and hidden and restricts access to encryption keys. When implementing data protection, you may have to consider other security, such as data tampering, but this article will not explore this problem because data tampering does not affect confidentiality. Instead, I will introduce more practical issues related to how to store encrypted data, which type of encryption and encryption algorithm, and how to protect the encryption key. Storage Encryption Data Unless you have better reason to take other means, please store the encrypted data in the application configuration file or Windows registry. The main benefit of using these two options is that not only has the ability to use ACL protection data, but also facilitate access by programming. Any other type of data store may lack at least one of the advantages, although other advantages may be added, this is impossible to make up for additional implementation.
Although some developers persist, Microsoft .NET Framework applications should not use registry, but this is not the case. The main disadvantage of the registry is that it is not suitable for the XCOPY deployment scenario, but because many applications are deployed by the installer and requires the specific configuration steps on the system to install them, support to XCOPY may not be required. Another disadvantage of the registry is that it is specific to the Windows platform and may not support other operating systems. This limit will become the main problem only if the non-Windows platform starts to support the public language implementation (CLI). If you care about XCOPY deployment or interoperability with non-Windows platforms; otherwise, select the option that best suits you. If you must store the settings shared by multiple applications, or to define these settings in programming, you may find that the management registration table is much easier. Applications that do not change by means of programming can be stored in the configuration file. In both cases, don't forget to apply the appropriate ACL to the data store. For example, it is a good idea to assign a file or registry key for the user account that runs the application to save sensitive data. It is a good idea. Similarly, the write authority should be explicitly specified to the user or user group (such as Administrators) allowed to modify the data. Reject any other person's access. There are two methods for one-way and bidirectional encrypted encrypted data: one-way (commonly referred to as a hash algorithm) and two-way. It is technically, the hash algorithm is not an encryption algorithm, but because these two technologies can be used in a similar way (ie, transforming plain text data into ciphertext), I think they are logical. Corresponding method. Although the hash algorithm has other uses, in the field of data protection, it has a greater advantage over two-way encryption. First, the hash algorithm is easier to use. Second, because the hash algorithm does not use the encryption key, this will be discussed later, this paper will be discussed later. The main disadvantage of the hash algorithm is that it does not support decryption, but in some cases, this problem is to lose horses. The password-based authentication is a typical example of the hash algorithm superior to two-way encryption. If your application saves a password only for authentication purposes, do not use a symmetrical key or public key to encrypt it, but store its hash value. When the user logs in, the application does not decrypt and relatively plain text password, but the password hash value. To reduce the risk of dictionary attacks, always use the SALT value with a hash value. The SALT value is random data, which is added to the plain text before the pure text is hashed and stored with the hash value, so that the other plain text value and hash value can be used later. To see how to use the Halt has been used for an example of a password-based authentication, check out the Msdn of the 2003. The Security Briefs column in Magazine. Hash algorithm MD5 and SHA-1 are the most commonly used hash algorithm. The SHA-1 hash value has 160 long, and the MD5 hash value has 128 long. SHA-1 algorithm is slower than MD5, but safer. In addition to the MD5 and SHA-1, .NET Framework also provides support for the 256-bit, 384-bit and 512 version of the SHA algorithm, although these algorithms may be slower, but they are safer.
The easiest method is hashed data HashPasswordForStoringInConfigFile FormsAuthentication class method calls, as in the following example: using System.Web.Security; string base64HashValue = FormsAuthentication.HashPasswordForStoringInConfigFile ( "mypassword", "sha1"); unfortunately Yes, this method only supports the MD5 and SHA-1 hash algorithms, so if you want to use the SHA-256, SHA-384 or SHA-512 hash value, you will need to write more code. How to: Hash Data With Salt explains how to use different hash algorithms to generate and compare the hash value. Encryption Key If your application needs to know the text value of sensitive data, you cannot use a hash algorithm. In this case, bidirectional encryption using a symmetric key or public key / private key should be used. If you are not sure which type of encryption key wants to choose, use a symmetrical key. The main disadvantages of public key encryption are low performance, and their performance ratio is 1000 times lower than that of the key. The public key encryption also applies certain limits to the size of the encrypted data based on the text. Although public key encryption can be used for data protection, it can actually be implemented with other technologies. Because the public key is best suited for security key exchange and digital data signing, here I will ignore them, and focus on the symmetric key encryption. When choosing an encryption algorithm, select the most secure algorithm with a long key as long as possible. In all symmetry key algorithms supported by .NET Framework, the US government approved RijndAel algorithm (also known as advanced encryption standard, i.e., AES algorithm) is considered to be the safest. This algorithm supports 128, 192, and 256-bit keys. For more information on Rijndael, see James McAffrey's article on this issue "Encrypt It: Keep Your Data Secure With the New Advanced Encryption Standard". Compared to other symmetrical key algorithms supported by .NET Framework, there is still a advantage. Other algorithms are provided in the form of an existing CryptoAPI module, and Rijndael (implemented for rijndaelmanaged classes) is completely written in managed code. Please note that some developers believe that this is a shortcoming and would rather use the non-hosting implementation of the Rijndael algorithm to achieve better performance. Unfortunately, this implementation of the Rijndael algorithm is only supported on Windows XP or higher, and the system must also have .NET Framework. If your application needs to be compatible with unmanaged applications running on Windows 2000 or earlier, use triple DES, which is a relatively good version of the lower security DES algorithm. Triple DES algorithm supports 112 and 168-bit keys, although the 168-bit key is recommended. Since the processing method of the parity bit of the key is inconsistent, the 168-bit triple DES key is sometimes referred to as a 192-bit key. If you want to allow managed and unmanaged applications to encrypt or decrypt data as the same triple DES key, pay attention to the pass code (password) of the derived key should only contain printable ASCII characters; otherwise, the generated key will not Match (this is due to the limit of the three DES algorithm. Net implementation).
Typically, people think that the original DES, RC2, and RC4 algorithms are much lower than Rijndael and triple DES, so they should avoid using them. In any case, you should not use your own encryption algorithm. Never think, if you are the original author of the code, no one can crack it. Figure 6 illustrates the various data encryption scheme you can use. Protecting the encryption key When the symmetric key is encrypted and decrypt application data, it is important to generate the same key from start to end. This brings a problem that the protection key or key generation logic (not confusing with the encryption algorithm). Although there are several techniques to accomplish this task, they all have a defect. Let us analyze the most suitable available options and solutions. There are two ways to generate a persistent symmetrical key: define your key, or let the operating system define. When selecting the first option, you can encode the actual key bytes into the application source code, or implement consistent logic to derive the key from some constant feature. These features typically contain a pass code (the key is derived from the pass code) and may also contain other values (such as the initialization vector). You must hide the key in the application source code, whether it is to generate the key byte hard coding or the key generation logic. This option gives you more control and flexibility, but if the application's source code is reversed, you will also bring greater risks to your data. In addition, you can store keys in a persistent location (such as a file or registry) and protect this location via ACL. However, because the method is easy to cause maintenance errors, it is recommended not to do this. Safer, but more restrictions, let the operating system generate a key. This can be done using an operating system feature such as a local security agency (LSA) or DPAPI. Learn about local security agencies in the Hessing period of Windows NT 4.0, the LSA policy function LsaStoreprivateData and LsaretrievePrivatedata provide reasonable security methods for protecting application confidentiality. Although the LSA policy function is available on Windows 2000 and later (and still used to protect settings such as passwords defined for Windows service), Microsoft recommends not to use them, so I only mentioned for integrity. And these functions and explains why they should avoid them. One problem with the LSA policy function is that the protected area of the Windows registry with the key management and encryption algorithm are used to process data storage. This looks a good thing, but actually, because the LSA policy function is limited to 4096 slots, and half of them has been occupied. If the application continues to use the LSA policy to store sensitive data, there will be dangerous hazards. Second, since only advanced privileged users can call the LSA policy function, the LSA policy function will not work for applications that run under non-privileged accounts. Worse, there are also tools such as LSADUMP2 that can leak LSA confidentiality. Bottom line: Do not use the LSA policy function for data protection. Using DPAPI as an alternative to the LSA policy function, Microsoft recommends using a subset of CryptoAPI named DPAPI. DPAPI includes two functions that can be used for data protection: CryptProtectData and CryptunProtectData. These functions are implemented in Crypt32.dll and can be called from P / INVOKE from the .NET Framework application. DPAPI is part of the operating system that can be used on Windows 2000 and later.
Unlike the LSA function, DPAPI does not process data storage, but it can generate computer specific or user-specific keys to encrypt and decrypt data. To distinguish these two types of keys, the DPAPI document calls them as computer storage and user storage. Computer-specific keys are often less secure because people who get system access rights can use them. By passing the password (also known as secondary entropy) to the DPAPI function, a more secure version of the computer-specific key can be generated. This option is better because it requires a caller to know the value of the password, but bring the problem of storage password, which returns to the initial problem. Another problem with a computer-specific key is that when the environment changes, they cannot guarantee the same as the original key. Changes such as moving applications on or re-establishing systems may result in crashing using DPAPIs with computer-specific keys. Although user-specific keys are considered safer, they have any other limitations of any identified access control. First, since the user key can only be generated by a program running the loaded user profile, they cannot be used with applications that are running with the ASP.NET application and some built-in accounts. There is a way to overcome this limitation by using service components, but the cost that must be paid is to improve complexity and reduce application performance. It also needs to run service components under the privileged account, which violates the principle of minimum authority. If you decide to use a DPAPI with a user-specific key, you must know that only users with encrypted data can decrypt the results. Obviously, this cannot be used to run in other user accounts or their settings can be defined by other user. Another problem with the user-specific key is that they allow all applications running in the same user profile to access data, which is a potential security hazard. For DPAPIs stored using computer, this problem can be resolved by requiring the supplement providing secondary entropy, but as in the previous example, this will bring the entropy. Unfortunately, DPAPI does not allow you to use your computer specific and user-specific keys simultaneously (on the same CRYPTPROTECTDATA call). It is recommended to use the DPAPI for a single user account with the loaded user profile and define its settings. (For more information, see the Windows service application running under the local or domain user account is a typical example. If your application meets these requirements, you should use a DPAPI with a user-specific key. For additional applications, you can use the secondary entropy protection and the DPAPI with a computer-specific key (see "Use DPAPI (Machine Store from AS ASP.NET" or using the example in the USE DPAPI to Encrypt and Decrypt Data). You can define this entropy in the application source code and fuzzy to process the application binary code so that the entropy is difficult to find by others. However, if you choose this method, it should be appreciated that even if the code of fuzzy processing can perform reverse engineering. To determine the fuzzy processing method you can use or not using, read the article "The Premier Obfuscator for Microsoft .NET Applications" written by Brent Rector "The Premier Obfuscator for Microsoft .NET Applications!", "Obfuscate It: thwart" and Gabriel Torok and Bill Leach. Reverse Engineering Attempts on Your Visual Basic .NET OR C # code.
If your application cannot directly use the DPAPI with a user-specific key, and cannot withstand the risk of reverse engineering, consider using service components to implement DPAPI, but it is aware that this option will affect the performance of the application. (See "User Store from ASP.NET with Enterprise Services"). If you select this option, prepare an authorization program to prevent malicious applications and users from calling service components, which may not be a simple task. To learn how to solve this problem, see the Ciphersafe.Net tool and its included document; the application explains how DPAPI is used to sensitive application management and provide an interesting method for resolving the issue. Hide the key in the application source code, although professional security continues to urge application developers to stop "hiding" encryption keys (and other sensitive data) in their application source code, but application developers are still ignored. Interpretation of this contradiction can be divided into two. The cause of the developer chosen this method is the reason why the method is very easy to implement. Another explanation is that alternative options may not work in some cases. For example, consider the following: Several applications running on different computers (for example, Windows services) must use the same key to encrypt and decrypt data stored in the database. In this case, it is not possible to encrypt using DPAPI, so the developer may choose to embed the key into the application source code. This is easy to implement, but not safe. A better way is that the administrator is required to define the encryption key at the application installation. Use the DPAPI of the user-specific key with the user-specific key to run the application account, and then save the encrypted value in a Windows registry or application. Program configuration file. To know, although the method is a more secure technology, it has brought problems with the process. Another case of embedding the key embedding application source code as a unique option is that the owner of the application data has a restricted access to the host application or has no access. The WEB of the host environment is an obvious example. If you embed your application source code is your unique choice, you must realize the relevant risks and processed accordingly. In this case, main risks come from reverse engineering, which can only be solved by blurring. Although the fuzzy treatment cannot prohibit reverse engineering, it can increase the cost of the process and more time. Comparison FIG. 7 (which shows the anti-compiled assembly of Demeanor) and Figure 3. Because all non-public symbols in the context of the fuzzy process are renamed with unprintable characters, and these strings have been encrypted, so it is almost impossible to rebuild application logic from the assembly. Commercial anti-compiler (such as Salamander) simplifies the work of reverse engineering by converting the unprintable characters to a printed equivalent value, then converting the application class into a source file, thereby simplifying the work of reverse engineering, but this not only spends money, but also If a hacker understands the unread symbol (at this point, the spaghetti code can actually use the field!). Figure 7 Reflexible assembly of fuzzy processing If you define a key in the application, do not try to store the actual key bytes in the source code in the source code in the application. Instead, persistent features should be used to implement key generation logic, such as an encryption algorithm, key size, pass code, initialization vector, and Salt (see ENCRYPT AND DECRYPT DATA Using A Symmetric (Rijndael) Key).
