Benutzer:MovGP0/ASP.NET Core/Data Protection API

Data Protection API

Machine Key

used in classical ASP.NET Applications before Data Protection API
problematic in web farm scenarios (mey be put in `web.config`, but dangerous)
no key rotation
no key protection; attacker that gets key can decrypt forms and cookies

machine.config

<configuration>
  <system.web>
    <machineKey decryptionKey="" validationKey="" />
  </system.web>
</configuration>

Data Protection API

Replaces Machine Key
Keys are protected
Key per application
- Key per purpose within the application
Key rotation
More complex to setup, but uses strong default settings

App MasterKey + PurposeString ↦ used Key

IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp");
var encryptedString = dataProtector.Protect(someString);

Versioning

IDataProtectionProvider dataProtectionProvider = ...;
IDataProtector dataProtector = dataProtectionProvider.CreateProtector("Demo.WebApp", "v1");
var encryptedString = dataProtector.Protect(someString);

Location of Master Keys

Hosting Environment	Location
User profile	local app data folder + DPAPI
IIS	Registry + DPAPI
Azure	folder "Data Protection Keys"
other	no key persistence

Usage

PurposeStringConstants

public sealed class PurposeStringConstants
{
    public string ConferenceIdQueryString => "ConferenceIdQueryString";
}

Startup.cs

public void ConfigureServices(ISErviceCollection services)
{
    services.AddMvc();
    services.AddDataProtection(); // setup with fluent interface as needed

    services.AddSingleton<PurposeStringConstants>();
}

ConferenceRepository.cs

public sealed class ConferenceRepository
{
    private IDataProtector Protector { get; }
    private IList EncryptedConferences { get; } = new List<EncryptedConference>();

    public ConferenceRepository(
        IDataProtectionProvider dataProtectionProvider, 
        PurposeStringConstants purposeStringConstants)
    {
        Protector = protectionProvider.CreateProtector(purposeStringConstants.ConferenceIdQueryString);
    }

    public void Add(Conference conference)
    {
        var encryptedConference = new EncryptedConference
        {
             Name = protector.Protect(model.Name.ToString());
        }
        encryptedConferences.Add(encryptedConference);
    }

    // ...
}

Time Limiting Protected Data

Data can only be encrypted as long as the time has not expired
the key is stored in memory; gets thrown away when TimeLimitedDataProtector gets disposed
each instance has a different master key

var timeLimitedDataProtector = protector.ToTimeLimitedDataProtector();
timeLimitedDataProtector.Protect(someString, dateTime);

Environment Variables

stores secrets in environment variables
values in environment variables are not encrypted

var configuration = new ConfigurationBuilder()
   .SetBasePath(env.ContentRootPath)
   .AddJsonFile("appsettings.json")
   .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
   .AddEnvironmentVariables();
   .Build();
var connectionString = configuration["DefaultConnection"];

Secret Manager

adds secrets to json file in the user profile
data is not encrypted!
app needs UserSecretsId
only for development!

PowerShell / Package Manager Console

dotnet user-secrets set databasepassword secret

Startup.cs

var configuration = new ConfigurationBuilder()
   .SetBasePath(env.ContentRootPath)
   .AddJsonFile("appsettings.json")
   .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
   .AddUserSecrets();
   .Build();
var password = configuration["databasepassword"];

|}