Securing Data

  • Article
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
To create client business applications using current Microsoft technologies, see patterns & practices' Prism.

Frequently, developers write applications that require encryption and hashing capabilities to meet the security requirements of their organization. Data that is created and maintained by applications, in addition to configuration information, often needs to be encrypted. Additionally, passwords that are used to access application functionality or data need to be hashed.

Configuration Files

It is not unusual for sensitive or secret information to be stored in configuration files. In fact, there are several configuration areas where sensitive information might appear. For example, the <connectionStrings> section could contain database user names and passwords, and the <identity> section contains a user name and password if you need the common language runtime to impersonate a fixed identity. You might store a password for a third-party Web service in <appSettings> or in a custom section. If your configuration file contains secrets, you should consider encrypting that section of the file.

The .NET Framework 2.0 and later versions provide encryption tools and classes to encrypt your configuration data. You can use a command-line tool to encrypt sensitive configuration file data. The .NET Framework 2.0 and later versions automatically decrypt configuration sections when it processes them. Therefore, you do not have to write any additional decryption code. This means the configuration console can display information from encrypted configuration files because it uses the platform to read the files. It also encrypts information as it writes it because it uses the platform to write the information.

You can use the Aspnet_regiis.exe tool to encrypt the Web.config file and the Machine.config file. For a description of how to use the Aspnet_regiis.exe tool, see How to Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI.

You can also use the protected configuration classes in the System.Configuration namespace to encrypt and decrypt sections of a Web configuration file, sections of a configuration file for an executable file (.exe), or sections in the machine-level and application-level configuration files. For more information, see the ProtectSection method of the SectionInformation class.

Local Data

The Enterprise Library Cryptography Application Block is designed to address most common tasks that developers confront when they are writing applications that require cryptography functionality. Applications can use the application block for a variety of tasks, such as encrypting information, creating a hash from data, and comparing hash values to verify that data has not been altered.

You should use the Cryptography Application Block when you need hashing and/or symmetric encryption functionality. You can use these functions in conjunction with the cryptographic providers included with the application block or with your own custom cryptographic providers. If the data only needs to be encrypted, and it does not need to be decrypted (for example, a password), you can use hashing. If the data needs to be both encrypted and decrypted (for example, to transmit sensitive customer data), you can use symmetric encryption.

A prerequisite for symmetric encryption is that the application that sends the data and the application that receives the data trust each other. Typically, this is true only if the sender and the receiver are the same application. This restriction often precludes using the application block for encrypting data across the network. Two other points you should consider when you use the Cryptography Application Block are how you are going to manage symmetric encryption keys and which hashing algorithm or symmetric encryption algorithm you are going to use.

Cached Data

The Bank Branch Client reference implementation uses the Enterprise Library Caching Application Block to cache rate information. If you use the Caching Application Block to cache sensitive information, you can configure the application block to encrypt the information before it writes the data to a backing store (for example, isolated storage). For information about configuring the Caching Application Block, see the Caching Application Block documentation.