I'm using common database code between a web and WinForms app. I've researched and worked out how to encrypt the connection strings section of a web.config and app.config file. That part is ok. I have also worked out how to decrypt the connection strings in my Azure web app, that's ok. I can also read the connection strings in my WinForms app after loading the .pfx file into the machine's certificate store, but after I reboot it fails, because it can't find a private key in the pfx file.
I am using a certificate created with these commands:
makecert -r -pe -n "CN=myconfig" -sky exchange "myconfig.cer" -sv "myconfig.pvk"
pvk2pfx -pvk "myconfig.pvk" -spc "myconfig.cer" -pfx "myconfig.pfx" -pi
This gives me 3 files: myconfig.pvk, myconfig.cer, myconfig.pfx
I assume the problem is the private key isn't stored in the pfx file, and needs to be re-authenticated each time after a reboot- but I don't know enough about encryption to know how to do that. Further, the WinForms app is for very limited distribution onto controlled machines, so I'd like to install each certificate manually.
I'm an newbie to encryption and am stuck. Can I load a .pfx file onto a machine, enter the private key (which I know but won't tell the user) & have that stored persistently? Am I missing something- is there a different certificate file I should install, or way of generating it? I don't want to leave the private key accessible. If someone steals the app.config, I don't want them to be able to decrypt it.
Note: I have read about the RsaProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. I have chosen to use PKCS12ProtectedConfigurationProvider because it works with Azure, ref: http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx
I stumbled on the answer when I deployed the app to my local IIS & got the error "Failed to decrypt using provider 'CustomProvider'. Error message from the provider: Keyset does not exist"
There was a permissions problem with the private key, resolved with the help of this article:
CryptographicException 'Keyset does not exist', but only through WCF
The article includes a number of possible causes, the one which fixed my issue was fixing the permissions in 'Manage Private Keys' from the MMC Certificates snap-in (see link, the steps are well laid out).
Related
I can't put the secret key file in the project folder. How can I handle this scenario?
My properties file has database password which is encrypted. My project uses it to connect to embedded H2 database.
Is there any other encryption method that I can use?
Edit:
Language: Java
Scenario --> I have a .secret file that has a private key
Now I have a properties file that has a property: db.password=encryptedPassword
When connecting to DB in my unit tests, I need the secret key file to be able to decrypt the password. This works fine in my local as the .secret file is in my user.home directory.
But when the build runs in Travis CI it fails because it can't find the .secret file.
I think you must get the private key in a different way for Unit Tests purposes.
TravisCI allows to configure Environment variables, so you can store the private key into a Environment variable, i.e PRIVATE_KEY=Content_of_Private_key
Take a look at this image from Travis console:
In your code you can get that content as follow:
System.getenv().get("PRIVATE_KEY"); //This call returns the content you need for decrypt your password.
Like I said, this behavior should be a good approach for your Unit tests.
Hope it helps!
I want to login with a file that contains digital certificate of someone, first registers with certificate contents that is base64 format, and when registering it will encrypt the content of certificate and save into database and when login with this file, i want to login with that data matched by decrypted way, pls help how to do this? And also when i encrypt each time file content saved with different characters, is it possible to save 3323 characters in database? pls help.....
// controller
$main_file = $request->file;
//$con = $main_file->getClientOriginalName();
$con = file_get_contents($main_file->getRealPath());
$files = Crypt::encrypt($con);
dd($files);
$file = Input::file('file')->getClientOriginalName();
$contents = File::get($main_file);
dd($contents);
Now to authenticate with this saved encrypted data, what is the possible way to save the encrypted 3322 characters in database, i am really in a stuck. can anyone help me...the main task is to login with file contents..thanks...
Sounds like you're trying to implement some kind of shared private key authentication. It's not clear why you want to do that (more on that later), but it sounds like a bad idea right from the start because you are immediately confronted with a difficult problem: how do you get the private key from the client to the server in a secure way?
A better way to do it would be a private/public key system, similar to the sort of thing SSH does when you set up passwordless login. Basically (very basically - I'm not an expert) the idea is that the client generates a private/public key pair and then sends the public key to the server. On authentication, the private key is used to encrypt a message. This encrypted message is sent to the server, where the public key is used to decrypt it. If the correct message was received, then the client is authenticated.
Rather than having some sort of shared certificate, I'd recommend following this model. That way you don't have to share sensitive information (the client's private key) with the server.
Ultimately, you need to think about why you want to do this.
You think this will be more convenient for clients? Well, for SSH, it certainly is more convenient to log in this way, because SSH has a mechanism for automatically encrypting and passing messages in a secure way. For HTTP? Not so much. The user is going to need to generate a file then use an upload form just to log in. Passwords are much quicker and easier.
You think it will be more secure? The way you've described it (a shared private key) will probably be less secure because you somehow have to get the private key from the client to the server without it being compromised - remember, if the private key is compromised, anyone can impersonate the client. The way SSH does it is more secure because the private key never leaves the client.
Ultimately, I think you can probably get what you're looking for with a) strictly enforced password complexity rules and b) HTTPS.
If security on your site is so important that you cannot rely on HTTPS and complex passwords, then you should probably be looking at a more comprehensive solution that will encrypt all traffic between the client and the server, such as a VPN (virtual private network).
I been searching for an answer for this for a long time now. There are a zillion discussions but none seems to have helped me (I have tried everything I have read).
I have an ASP.net website that send apple push notifications. I created a Console app using push sharp - run it on my server, the push notifications get sent/received successfully. I run the console on my local dev system, it also works. I run my 'website' from IIS Express on my local system - the push notifications are also successful. But running in IIS on my server, I am getting the dreaded 'The credentials supplied to the package were not recognized' - any help at this point would be fantastic. Thanks
Previously, every time I have run into this issue, I have had to delete the cert out of my local machine cert store and re-import it. Then it all seems happy. I can't see how it could be a global permissions issue or invalid cert if simply re-importing it fixes the issue.
How I finally fixed it was using the winhttpcertcfg tool from the Windows Resource Kit to grant permission to the specific user that was using the cert.
The syntax would be:
"C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg" -i cert.p12 -c LOCAL_MACHINE\My -a UserWhoUsesTheCert -p passwordforp12
--First a little background:--
I have already managed to connect to a Microsoft web service using C#. To use this web service, I have to supply a username and a password in the C# code. I also have to install a certificate (in .cer format) into the "Root Certificate Authorities" section of the system's certificates.
(By the way, the C# class I use to connect to the service was automatically generated for me with the command line tool "svcutil.exe https://address.of.service")
--Here is my question:--
How can I connect to this web service using Axis2/C? The example in the documentation is of a completely different nature -- it asks for a certificate, key file, and a passphrase. In my case, it is username, password, and a .cer file.
So I'm not sure where to even begin. I don't know where my .cer file, username and password should go exactly. Any ideas?
If at all possible stay away from Axis2, perhaps use gSOAP instead.
That said, figure out which of the HTTP libraries you are building Axis2 with (I believe it can use a number of different ones depending on which OS you are building etc).
Also you might want to update your question with the reference to the sample program you are talking about and relevant excerpt from the C# client for reference.
I am using the variables to configure the same "connection string" between two applications, since the two do access the same database of users.
Can I set the same SQL Server (Nano 10GB) in more than one application to use transformation for web.config?
This is not currently possible since there is no way to have the connectionsstring injected into other applications than the one that has the add-on provisioned. Feel free to add this as a feedback suggestion.
It is possible, but requires some legwork. Basically you need to have one app with a known location (URL is fine) that the others can ask for the Connection String. The hard part is doing it securely enough. I'm partway there...
I've rigged up a system where you have a password that both of your Apps know in AppSettings, and then have the Secondary Website send a Public Key to the Primary Website with the password. Who then encodes the connection string, and sends it back.
The password CAN be injected by Appharbor when it does a deploy. And the connection string is also setup on the deploy. Ideally you'd use SSL but I don't have that setup and it makes life hard when working locally.
Proof Of Concept: https://bitbucket.org/Rangoric/database-coordination/overview
It does work, just start both of the website projects in there, and go to http://localhost:4002/Database and you will see what is in the connection String of the Primary website.
EDIT: I just realized that since you can piggyback the SSL Cert of appharbor with the free subdomain they give you, you can use that URL for added security if you don't have your own SSL cert.