Benutzer:MovGP0/ASP.NET Core/Data Protection API
aus Wikipedia, der freien Enzyklopädie
Data Protection API
Machine Key
- used in classical ASP.NET Applications before Data Protection API
- problematic in web farm scenarios (mey be put in `web.config`, but dangerous)
- no key rotation
- no key protection; attacker that gets key can decrypt forms and cookies
- machine.config
<configuration>
<system.web>
<machineKey decryptionKey="" validationKey="" />
</system.web>
</configuration>
Data Protection API
- Replaces Machine Key
- Keys are protected
- Key per application
- Key per purpose within the application
- Key rotation
- More complex to setup, but uses strong default settings
- App MasterKey + PurposeString ↦ used Key
IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp");
var encryptedString = dataProtector.Protect(someString);
- Versioning
IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp", "v1");
var encryptedString = dataProtector.Protect(someString);
- Location of Master Keys
| Hosting Environment |
Location
|
| User profile |
local app data folder + DPAPI
|
| IIS |
Registry + DPAPI
|
| Azure |
folder "Data Protection Keys"
|
| other |
no key persistence
|
Usage
- PurposeStringConstants
public sealed class PurposeStringConstants
{
public string ConferenceIdQueryString => "ConferenceIdQueryString";
}
- Startup.cs
public void ConfigureServices(ISErviceCollection services)
{
services.AddMvc();
services.AddDataProtection(); // setup with fluent interface as needed
services.AddSingleton<PurposeStringConstants>();
}
- ConferenceRepository.cs
public sealed class ConferenceRepository
{
private IDataProtector Protector { get; }
private IList EncryptedConferences { get; } = new List<EncryptedConference>();
public ConferenceRepository(
IDataProtectionProvider dataProtectionProvider,
PurposeStringConstants purposeStringConstants)
{
Protector = protectionProvider.CreateProtector(purposeStringConstants.ConferenceIdQueryString);
}
public void Add(Conference conference)
{
var encryptedConference = new EncryptedConference
{
Name = protector.Protect(model.Name.ToString());
}
encryptedConferences.Add(encryptedConference);
}
// ...
}
Time Limiting Protected Data
- Data can only be encrypted as long as the time has not expired
- the key is stored in memory; gets thrown away when TimeLimitedDataProtector gets disposed
- each instance has a different master key
var timeLimitedDataProtector = protector.ToTimeLimitedDataProtector();
timeLimitedDataProtector.Protect(someString, dateTime);
Environment Variables
- stores secrets in environment variables
- values in environment variables are not encrypted
var configuration = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json")
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddEnvironmentVariables();
.Build();
var connectionString = configuration["DefaultConnection"];
Secret Manager
- adds secrets to json file in the user profile
- data is not encrypted!
- app needs UserSecretsId
- only for development!
- PowerShell / Package Manager Console
dotnet user-secrets set databasepassword secret
- Startup.cs
var configuration = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json")
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddUserSecrets();
.Build();
var password = configuration["databasepassword"];
|
