Sensitive Data

• How do I protect sensitive data in configuration files?
• How do I protect sensitive data in memory?
• How do I protect my metadata?
• How do I protect sensitive data from being read on the wire?
• How do I protect sensitive data from being tampered with on the wire?

How do I protect sensitive data in configuration files?

Use the aspnet_regiis.exe tool with the -pe (provider encryption) option to encrypt sections of the configuration files.

For example, to encrypt the connectionStrings section, using the Windows Data Protection API (DPAPI) provider with the machine key store (the default configuration), run the following command from a command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" 
-prov "DataProtectionConfigurationProvider" 

The aspnet_regiis configuration options are:

• -pe specifies the configuration section to encrypt.
• -app specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".
• -prov specifies the provider name.

The .NET Framework supports the following protected configuration providers:

• RSAProtectedConfigurationProvider. This is the default provider; it uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple WCF services in a Web farm.
• DPAPIProtectedConfigurationProvider. This provider uses DPAPI to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.

You do not need to take any special steps for decryption because the .NET run time takes care of this for you.

Additional Resources

• For more information on encrypting a configuration section using DPAPI, see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI.
• For more information on encrypting a configuration section using RSA, see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA.

How do I protect sensitive data in memory?

To minimize exposure of secret data in memory, consider the following measures:

• Avoid creating multiple copies of the secret data because this increases your attack surface. Pass references to secret data instead of making copies of the data. Also understand that if you store secret data in immutable objects such as System.String, a new copy is created after each object manipulation.
• Keep the secret data encrypted for as long as possible. Decrypt the data at the last possible moment before you need to use the sensitive information it contains.
• Clean the cleartext version of the secret data as soon as you are done using it.

You can use the SecureString method to implement the above measures. The value of a SecureString object is automatically encrypted, can be modified until your application marks it as read-only, and can be deleted from computer memory by either your application or the .NET Framework garbage collector.

The following C# code creates an instance of the SecureString class and stores a data value in it.

using System;
using System.Collections.Generic;
using System.Text;

namespace TestSecureString 
{
    class Program 
    {
      static void Main(string[] args) 
        {
            System.Security.SecureString secstr = new System.Security.SecureString();
            secstr.AppendChar('W');
            secstr.AppendChar('C');
            secstr.AppendChar('F');
            secstr.MakeReadOnly();
            Console.WriteLine(secstr);
        }
    }
}

An exception is thrown if you attempt to alter the data because the code locks the string value with the MakeReadOnly method after the final character has been added. Therefore this string value may not be altered.

How do I protect my metadata?

You can protect the metadata of a service by creating a secure HTTPS GET metadata endpoint in its configuration. Set the httpsGetEnabled attribute of the <serviceMetadata> element to true and the httpsGetUrl attribute of the <serviceMetadata> element to the address of your metadata interface.

The following configuration code shows how to secure the metadata:

 <system.serviceModel>
  <behaviors>
   <serviceBehaviors>
    <behavior name="myServiceBehavior">
     <serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://localhost:1234/calcMetadata" />
    </behavior>
   </serviceBehaviors>
  </behaviors>
 <services>
  <service behaviorConfiguration="myServiceBehavior" 
        name="MySamples.Calculator">
   <endpoint address="https://localhost:8037/Samples/calculator"
   binding="wsHttpBinding" bindingConfiguration=""   
   contract="MySamples.ICalculator" />
  </service>
 </services>
 </system.serviceModel>

Additional Resources

• For more information on publishing metadata endpoints, see Publishing Metadata Endpoints.

How do I protect sensitive data from being read on the wire?

Use message or transport security to encrypt your message, and keep sensitive information from being sniffed off the network. Message security encrypts each individual message to protect sensitive data. Transport security secures the end-to-end network connection to protect the network traffic.

How do I protect sensitive data from being tampered with on the wire?

Use message or transport security to check the integrity of your message and keep the messages from being tampered with on the network. Message security checks the integrity of each individual message. Transport security protects the end-to-end network connection to protect against tampering.