FW: [Mono-list] Linux version of DPAPI to encrypt Web.config data?

Sebastien Pouliot spouliot@videotron.ca
Thu, 14 Oct 2004 12:00:04 -0400


forgot the list :(

-----Original Message-----
From: Sebastien Pouliot [mailto:spouliot@videotron.ca]
Sent: 14 octobre 2004 08:21
To: Bacchus Hraphanidousai
Subject: RE: [Mono-list] Linux version of DPAPI to encrypt Web.config
data?


Hello Bacchus,

> -----Original Message-----
> From: mono-list-admin@lists.ximian.com
> [mailto:mono-list-admin@lists.ximian.com]On Behalf Of Bacchus
> Hraphanidousai
> Sent: 13 octobre 2004 08:42
> To: mono-list@lists.ximian.com
> Subject: [Mono-list] Linux version of DPAPI to encrypt Web.config data?
>
>
> I would like to explore my options in encrypting
> sensitive data in the Web.config file and I came
> across the DPAPI in Windows.

DAPI is very interesting because of it's key management.

However it wasn't exposed in the framework before 2.0 and a similar API
isn't (yet) implemented in Mono.

> First, here are my constraints:
> [1] I am storing credentials that will be passed to
> other processes, so a one-way hash won't work
> [2] I prefer a symmetrical encryption algorithm for
> simplicity and performance
> [3] I cannot store the encryption key as a constant in
> my code-behind file since this can easily be
> disassembled

Note that it could only be disassembled if someone got a copy of it (and no
I'm NOT suggesting keeping any key inside compiled code ;-).

> On Windows, DPAPI addresses these constraints, since
> it manages encryption keys at the OS level.

Yes, DAPI strength is exposing a simple API to hide a complex problem (key
management). However it's important to note that this solve all problems.

Hiding "correctly" any secret (like a key) is hard on a computer, even more
in a server environment. The best way to see potential problems is to have a
threat model. Sadly you'll see that DAPI isn't the solution for most of the
problems related to web server applications.

What DAPI solves
- key management issues (that are rarely considered inside applications);
- ensure good cryptography practice (i.e. avoid common errors) with it's
simple API;

What DAPI doesn't solves
- access to the secret. Any person (directly or indirectly) that can run
executable code on the server (with the same OS identity as your
application) can call DAPI itself and retrieve the unencrypted data. So the
question is "if/how they can get your data, then could they get your key ?"

Conclusion:
DAPI is great but may not be enough (only your threat model can tell ;-)


> My question is: when running ASP.NET applications on a
> Slackware 10 Linux server using Mono 1.0.2, do I have
> any similar options?

You could build something similar to DAPI (if key management is important),
keeping a secret key outside what the web server can access.

> Has anyone tried to encrypt data
> in Web.config and App.config files for Mono
> applications? Are there any articles or code samples
> that I can refer to?

I'm sure there are a lot of documents on the subject (as DAPI is only
available in Windows 2000+). Maybe not specific to Mono but for other
technologies (classic ASP, PHP ...) as this is a very common problem.

> It seems like there should be a very good API layer
> for managing data encryption in Linux, but what are
> those APIs and how can I access those them from
> managed code?
>
> Thanks for any help or advice you can offer!

Sebastien Pouliot
home: spouliot@videotron.ca
blog: http://pages.infinit.net/ctech/poupou.html