<snip>

Reading through the docs, I believe it's a machine-level or user-level
RSA key container, and the user account which executes the page
request must have access to that RSA key container in order to work.

In other words, it's using underlying Windows security - so I don't
believe it's a security risk.

One way to test it would be to copy the configuration and application
to another machine - I'm pretty sure you'll find it doesn't work.

Jon

Hello Tom,

From your post, my understanding on this issue is: you wonder where the
encryption and decryption key is stored when you encrypt the configuration
nodes. If I'm off base, please feel free to let me know.

I notice that you are using RsaProtectedConfigurationProvider, the RSA
mechanism, to encrypt the configurations. RSA needs two keys: one is public
key which is used to encrypt the content; another is private key, to
decrypt the content. According to the MSDN article
http://msdn2.microsoft.com/en-us/library/ms998283.aspx, the key pair for
the current application is stored either in machine level key container, or
user level container. For RsaProtectedConfigurationProvider, it uses
machine level key container by default. Machine level keys are stored in
the directory:
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
Each file in the directory represents one key container (public - private
key pair).
You could use the command:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pc
"keycontainer_name" -exp
to create a new key container with the specified keycontainer_name.

But actually, it is not the public key of RSA key container that encrypt
the content of configuration information, because RSA is a kind of
asymmetric encryption, and it is slow to encrypt large messages. We usually
use symmetric key cipher, such as DES, to encrypt large messages. When we
start to encrypt the content of a configuration file,
Firstly, it will find the RSA key container according to the key name
specified in <EncryptedData><EncryptedKey><KeyInfo><KeyName> node.
Secondly, it randoms a DES key and use the public key from the key
container to encrypt the DES key. Then store the encrypted result in the
node <EncryptedData><KeyInfo><<EncryptedKey><CipherData>
Lastly, it uses the DES key to encrypt the configuration information.

When we decrypt the configuration information,
Firstly, it will find the RSA key container according to the key name
specified in <EncryptedData><EncryptedKey><KeyInfo><KeyName> node.
Secondly, it use the private key to decrypt the encrypted DES key.
Lastly, it uses the DES key to decrypt the configuration information

For more information, please refer to the page
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html

Please let me know if you have any other concerns, or need anything else.

Sincerely,
Jialiang Ge (jialge@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
For MSDN subscribers whose posts are left unanswered, please check this
document: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express/Windows Mail, please make sure
you clear the check box "Tools/Options/Read: Get 300 headers at a time" to
see your reply promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.