Enterprise library security flaw!

Topics: Cryptography Application Block
Mar 24, 2008 at 4:16 PM
Hello All

You can use any encryption you can think about private/public/ shared keys any algorithm for a hacker it is all the same. She/he has only to download enterprise library and open the connection string to get all info needed there should be an extra protection for opening config files. This is blatant error in the conception. I hope that enterprise library team will take the time to fix it.

Mar 25, 2008 at 1:04 AM

Can you please elaborate on the scenarios you're concerned about and what is it that you would like to see fixed? Also, please indicate the version of Enterprise Library you're referring to; starting with the January 2006 version (aka v2.0) the encryption of configuration, including connection strings, is performed by the .NET framework - not the Crypto App Block.

Please see http://msdn2.microsoft.com/en-us/library/ms998283.aspx and http://msdn2.microsoft.com/en-us/library/ms998280.aspx for information on how configuration encryption works. Also keep in mind that restricting access to configuration information for users who do have access to the required keys (eg a user of a computer if you're using DPAPI with a machine scope) is not the goal of configuration encryption.