[RESOLVED] Web.config

[dnanetwork]

how to encrypt web.config

with SHA 512.

any help..

[gep13]

Hey,

Are you looking to encrypt the whole web.config file, or are you just wanting to encrypt certain sections? If it is the latter, then have a look here:

http://weblogs.asp.net/scottgu/archi...09/434893.aspx

Hope that helps!!

Gary

[dnanetwork]

no i want to encrypt the connection string in my web.config...

also i need a way to use that connection string in my code..

so far i've encrypted my web.config & restored back using decryption..

rsa algorithm...

but no succes while reading the connection string..

i can post my code..if u dont understand with my requirement..?

[gep13]

Hey,

If you follow the link that I provided to you, you will see how you can encrypt just the connectionstrings sections of the web.config file.

If you use the built in encryption methods, then you don't actually have to explicitly decrypt the section again, this is handled for you automatically.

Gary

[dnanetwork]

wot is the difference between connection string & machine key..?

[gep13]

Hey,

They are two completely different things?!?

Why are you asking about the difference between them? Your question does not seem to make any sense? What is the context of the question?

Gary

[dnanetwork]

no i was reading the article you suggested me..

so came up with this question...

anyways thnx 4 the help..

problem resolved..

but one more thing...

i need to secure my password in my database..

for which asp.net provides..

MD5, SHA 1, SHA 256, SHA 384 & SHA 512..

so which one is best algorithm with good security features...

[gep13]

Hey,

Again, I am not sure if I understand your question.

Are you referring to the ASP.Net Membership provider where you specify the type of encryption for your password, or have you implemented your own user registration?

Gary

[dnanetwork]

when user comes to my site..

it does the registration porcess..

after submit...i'll encrypt the user password using above mentioned algorithms..

and then i'll be saving the user information to my database..

so which algorithm u think is the best..?

one more thing...wot is salt..does it gonna help me...

[dnanetwork]

Code:

Sub AddCredentials_Click(s As Object, e As EventArgs) 
 sqlCmd = "INSERT INTO Users (Username, Pass, Email)  
       VALUES (@Username, @Pass, @Email)" 
 objCmd = New OleDbCommand(sqlCmd, objConn) 
 objCmd.Parameters.Add("@Username", txtUsername.Text) 
 objCmd.Parameters.Add("@Pass",  
             FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,  
   "SHA1")) 
 objCmd.Parameters.Add("@Email", txtEmail.Text) 

 objConn.Open() 
 objCmd.ExecuteNonQuery() 
 objConn.Close() 
End Sub

this is just a sample where i am using SHA 1...

[gep13]

Hey,

That doesn't answer the question.

How are you handling the user registration? Are you using the ASP.Net Membership Provider or not?

If you are, then you don't have to handle the encryption explictly, the Membership Provider does this for you.

I think you should spend some time deciding exactly what you want to achieve, as it is not a straight forward question.

For instance, do you want symmetric encryption, asymmetric encryption, or actually are all you trying to achieve is a hash of the password?

The salt is the value that you pass into the encryption algorithm in order to do the encryption. Providing a different salt value will result in a different encryption.

Gary

[dnanetwork]

no not using any membership providers..!

and in my above code i didn't use any salt..

i've just mentioned the SHA1..

[gep13]

Hey,

In which case, I would recommend that you stick with SHA1.

http://www.secure-hash-algorithm-md5-sha-1.co.uk/

Since you are using a built in method, the complexity of the actual encryption is abstracted for you, so in this case, you don't need to worry about the salt.

Gary

[dnanetwork]

Hey,

In which case, I would recommend that you stick with SHA1.

http://www.secure-hash-algorithm-md5-sha-1.co.uk/

Since you are using a built in method, the complexity of the actual encryption is abstracted for you, so in this case, you don't need to worry about the salt.

Gary

Code:

protected void Page_Load(object sender, EventArgs e)
    {
        MyMD5();
        MySHA1();
        MySHA256();
        MySHA384();
        MySHA512();
    }

    protected void MySHA1()
    {
        SHA1 sha1 = new System.Security.Cryptography.SHA1Managed();
        byte[] sha1Bytes = System.Text.Encoding.Default.GetBytes("TataDocomo");
        byte[] cryString = sha1.ComputeHash(sha1Bytes);
        string sha1Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            sha1Str += cryString[i].ToString("X");
            //sha1Str += cryString[i].ToString();
        }
        Response.Write("SHA1 : " + sha1Str + "</br></br>");
    }

    protected void MySHA256()
    {
        SHA256 sha256 = new System.Security.Cryptography.SHA256Managed();
        byte[] sha256Bytes = System.Text.Encoding.Default.GetBytes("TataDocomo");
        byte[] cryString = sha256.ComputeHash(sha256Bytes);
        string sha256Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            sha256Str += cryString[i].ToString("X");
        }
        Response.Write("SHA256 : " + sha256Str + "</br></br>");
    }

    protected void MySHA384()
    {
        SHA384 sha384 = new System.Security.Cryptography.SHA384Managed();
        byte[] sha384Bytes = System.Text.Encoding.Default.GetBytes("TataDocomo");
        byte[] cryString = sha384.ComputeHash(sha384Bytes);
        string sha384Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            sha384Str += cryString[i].ToString("X");
        }
        Response.Write("SHA384 : " + sha384Str + "</br></br>");
    }

    protected void MySHA512()
    {
        SHA512 sha512 = new System.Security.Cryptography.SHA512Managed();
        byte[] sha512Bytes = System.Text.Encoding.Default.GetBytes("TataDocomo");
        byte[] cryString = sha512.ComputeHash(sha512Bytes);
        string sha512Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            sha512Str += cryString[i].ToString("X");
        }
        Response.Write("SHA512 : " + sha512Str + "</br></br>");
    }

    protected void MyMD5()
    {
        MD5 md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
        byte[] Md5Bytes = System.Text.Encoding.Default.GetBytes("TataDocomo");
        byte[] cryString = md5.ComputeHash(Md5Bytes);
        string md5Str = string.Empty;
        for (int i = 0; i < cryString.Length; i++)
        {
            md5Str += cryString[i].ToString("X");
        }
        Response.Write("MD5 : " + md5Str + "</br></br>");
    }

this is code i've implemented..for security algorithms..

but can't make out which one should i use...

SHA512 to generates...the complex string..

i was kinda hoping for 512..

but you recommended SHA 1...

okey fine i can use SHA1 ....but is SHA 1 better than SHA512

[gep13]

Hey,

Okay, I am confused, you seem to be jumping between different things here.

In post 10, you are using a built in method, but in your last post, you are saying that you are implementing your own hashing algorithms.

Is there a reason why you are doing this? What is wrong with the built in method?

The difference between SHA1 and SHA512 would be the level of encryption. SHA512 would provide a higher level of encryption than SHA1.

Gary

[dnanetwork]

Hey,

Okay, I am confused, you seem to be jumping between different things here.

In post 10, you are using a built in method, but in your last post, you are saying that you are implementing your own hashing algorithms.

Is there a reason why you are doing this? What is wrong with the built in method?

The difference between SHA1 and SHA512 would be the level of encryption. SHA512 would provide a higher level of encryption than SHA1.

Gary

thank you i was hoping for 512..

now i'll encrypt my password using SHA512 instead of using SHA1..

also i'll be using your encryption technique for web.config..

i hope i'm not confusing this time..
done..