Benutzer:MovGP0/ASP.NET Core/Data Protection API
Zur Navigation springen
Zur Suche springen
| MovGP0 | Über mich | Hilfen | Artikel | Weblinks | Literatur | Zitate | Notizen | Programmierung | MSCert | Physik |
|
|
Data Protection API
[Bearbeiten | Quelltext bearbeiten]Machine Key
[Bearbeiten | Quelltext bearbeiten]- used in classical ASP.NET Applications before Data Protection API
- problematic in web farm scenarios (mey be put in `web.config`, but dangerous)
- no key rotation
- no key protection; attacker that gets key can decrypt forms and cookies
- machine.config
<configuration>
<system.web>
<machineKey decryptionKey="" validationKey="" />
</system.web>
</configuration>
Data Protection API
[Bearbeiten | Quelltext bearbeiten]- Replaces Machine Key
- Keys are protected
- Key per application
- Key per purpose within the application
- Key rotation
- More complex to setup, but uses strong default settings
- App MasterKey + PurposeString ↦ used Key
IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp");
var encryptedString = dataProtector.Protect(someString);
- Versioning
IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp", "v1");
var encryptedString = dataProtector.Protect(someString);
- Location of Master Keys
| Hosting Environment | Location |
|---|---|
| User profile | local app data folder + DPAPI |
| IIS | Registry + DPAPI |
| Azure | folder "Data Protection Keys" |
| other | no key persistence |
Usage
[Bearbeiten | Quelltext bearbeiten]- PurposeStringConstants
public sealed class PurposeStringConstants
{
public string ConferenceIdQueryString => "ConferenceIdQueryString";
}
- Startup.cs
public void ConfigureServices(ISErviceCollection services)
{
services.AddMvc();
services.AddDataProtection(); // setup with fluent interface as needed
services.AddSingleton<PurposeStringConstants>();
}
- ConferenceRepository.cs
public sealed class ConferenceRepository
{
private IDataProtector Protector { get; }
private IList EncryptedConferences { get; } = new List<EncryptedConference>();
public ConferenceRepository(
IDataProtectionProvider dataProtectionProvider,
PurposeStringConstants purposeStringConstants)
{
Protector = protectionProvider.CreateProtector(purposeStringConstants.ConferenceIdQueryString);
}
public void Add(Conference conference)
{
var encryptedConference = new EncryptedConference
{
Name = protector.Protect(model.Name.ToString());
}
encryptedConferences.Add(encryptedConference);
}
// ...
}
Time Limiting Protected Data
[Bearbeiten | Quelltext bearbeiten]- Data can only be encrypted as long as the time has not expired
- the key is stored in memory; gets thrown away when TimeLimitedDataProtector gets disposed
- each instance has a different master key
var timeLimitedDataProtector = protector.ToTimeLimitedDataProtector();
timeLimitedDataProtector.Protect(someString, dateTime);
Environment Variables
[Bearbeiten | Quelltext bearbeiten]- stores secrets in environment variables
- values in environment variables are not encrypted
var configuration = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json")
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddEnvironmentVariables();
.Build();
var connectionString = configuration["DefaultConnection"];
Secret Manager
[Bearbeiten | Quelltext bearbeiten]- adds secrets to json file in the user profile
- data is not encrypted!
- app needs UserSecretsId
- only for development!
- PowerShell / Package Manager Console
dotnet user-secrets set databasepassword secret
- Startup.cs
var configuration = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json")
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddUserSecrets();
.Build();
var password = configuration["databasepassword"];
|}