How Is The Application Configuration File Protected From Tampering?
2012-04-10 10:11 barbarossia 阅读(207) 评论(0) 编辑 收藏 举报How is the application configuration file protected from tampering?
The attack scenario: Can an "end user" check the database connection string to get the database privillage.
The best way to encrypt configuration settings is with DPAPI, the Data Protection Application Programmer's Interface:
This Data Protection API (DPAPI) is a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI.
The better article describe it.
This article discucese the CryptProtectData API and ConfigManager.
http://www.codeproject.com/Articles/15392/Implementing-Protected-Configuration-With-Windows
This article use the ProtectedConfiguration API to protect sensitive information in your application’s configuration file.
http://www.grimes.nildram.co.uk/workshops/secWSFifteen.htm
About SecureString.
http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
Securing Connection Strings.
Using a Server Certificate to Protect Web.Config
The custom protected config provider sample is here