ASPNET_REGIIS: Place AES key and IV into a KeyContainer

Question

Is it possible to place an AES key and IV into a KeyContainer using ASPNET_REGIIS? If yes, how?

Context:

I have created AesProtectedConfiguratio

Answer 1

RsaProtectedConfigurationProvider and AesProtectedConfigurationProvider, despite very similar names, are parts of different universes.

RsaProtectedConfigurationProvider resides in System.Configuration and is used (as other providers inheriting from abstract ProtectedConfigurationProvider) for encryption/decryption of configuration sections in web.config for ASP.NET applications.

AesProtectedConfigurationProvider in its turn resides in Microsoft.ApplicationHost and is used only for IIS configuration encryption. In configuration file of default application pool (DefaultAppPool.config) you will find following:

You could read about AesProvider and IISWASOnlyAesProvider in IIS Securing Configuration article:

AesProvider - Encrypting IIS configuration sections read by the IIS worker process using AES encryption.

IISWASOnlyAesProvider - Encrypting IIS configuration sections read by WAS using AES encryption.

So answering your first question:

1. Confirm whether using the AesProtectedConfigurationProvider is safe. It was removed by Microsoft in subsequent releases of .NET but I cannot seem to find a reason

Yes, using of your custom AES provider is safe if we assume that you have implemented it correctly without security flaws. Microsoft has not removed AesProtectedConfigurationProvider from .Net Framework, it was never a part of System.Configuration. If Microsoft has found security flaw in its implementation, they could just fix it instead of removing, correct?

2. Provide steps to implement the AesProtectedConfigurationProvider and to create a KeyContainer in ASPNET_REGIIS

I believe you can have AES encryption without implementing custom AesProtectedConfigurationProvider.

I dig into source code of RsaProtectedConfigurationProvider and found that it has the following logic:

private SymmetricAlgorithm GetSymAlgorithmProvider() {
    SymmetricAlgorithm symAlg;

    if (UseFIPS) {
        // AesCryptoServiceProvider implementation is FIPS certified
        symAlg = new AesCryptoServiceProvider();
    }
    else {
        // Use the 3DES. FIPS obsolated 3DES
        symAlg = new TripleDESCryptoServiceProvider();

        byte[] rgbKey1 = GetRandomKey();
        symAlg.Key = rgbKey1;
        symAlg.Mode = CipherMode.ECB;
        symAlg.Padding = PaddingMode.PKCS7;
    }

    return symAlg;
}

As you see, default RSAProtectedConfigurationProvider supports switch from Triple DES to AES encryption by means of System.Security.Cryptography.AesCryptoServiceProvider.

UseFIPS flag is read from configuration section of RsaProtectedConfigurationProvider. You could set it on machine level (machine.config) so that it's applied to all encrypted configs or only for specific web.config.

For later case add following section to web.config (I have copied the section from machine.config and added useFIPS="true"):

Now if you run aspnet_regiis, you will see that data is encrypted with 256 bit AES:

The AES symmetric key is stored in the same way as for Triple DES mode: the key is encrypted with RSA and is embedded into encrypted section while RSA key is stored in machine key container. See this blog post for more details.

I believe using of AES encryption that is already implemented in RsaProtectedConfigurationProvider is far better option than custom AES provider. You are using existing key storing method and you are protected from possible (highly probable) security flaws.