Crypto on shared hosting...

IanStevenson · 21-10-2007, 10:48 AM

Hi there,

One of the functions I would like to provide through my website is designed to use RSA public key Cryptography to deliver some signed content that can then be authenticated by a smart client.

The technology all works well on my test server, but when I moved it out to Catalyst2 I fell foul of the CAS permission set. Although my application manages its own keys, the cryptographic service provider "RSACryptoServiceProvider" uses the windows key container service internally - so when I try to do "RSACryptoServiceProvider.FromXml" it is trying to import my key into a container. This in turn (thanks Reflector) generates a permission demand as follows:

Code:

    KeyContainerPermission permission = new KeyContainerPermission(KeyContainerPermissionFlags.NoFlags);
        KeyContainerPermissionAccessEntry accessEntry = new KeyContainerPermissionAccessEntry(this._parameters, KeyContainerPermissionFlags.Import);
        permission.AccessEntries.Add(accessEntry);
        permission.Demand();

So it seems I need KeyContainerPermission, which for understandable reasons isn't present AT ALL in the permission set:

Code:

The granted set of the failing assembly was:
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"/>
<IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Read="d:\domains\salientpoint.co.uk"
Write="d:\domains\salientpoint.co.uk"
Append="d:\domains\salientpoint.co.uk"
PathDiscovery="d:\domains\salientpoint.co.uk"/>
<IPermission class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Allowed="AssemblyIsolationByUser"
UserQuota="9223372036854775807"/>
<IPermission class="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="Assertion, Execution, ControlThread, SerializationFormatter, ControlPrincipal, RemotingConfiguration"/>
<IPermission class="System.Security.Permissions.StrongNameIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100C3563AE31654954CDC2FEAB90CD5925EFF6B37C9F1BE6EFBC51A6DA7FC12DCE4761875F615D4AB98D88F86BCD66B6410D890C23ACAB5BB31CB7ACCE77D3600A46E2F8DD0F7620AA171C7C0BD81D04F0C2D1F2331BEEAFB1E222C68DA582125E27D1C5CFFE4A18AABA13A8E7DE060722F137D08C6DC9A12EFDBCC6C84BD4BE3C2"
Name="SalientProtect"
AssemblyVersion="0.92.2849.27838"/>
<IPermission class="System.Security.Permissions.UrlIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Url="file:///d:/domains/salientpoint.co.uk/wwwroot/bin/SalientProtect.DLL"/>
<IPermission class="System.Security.Permissions.ZoneIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Zone="MyComputer"/>
<IPermission class="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Level="Medium"/>
<IPermission class="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
version="1"
Level="DefaultPrinting"/>
<IPermission class="System.Net.Mail.SmtpPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Access="Connect"/>
<IPermission class="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1">
<ConnectAccess>
<URI uri=".*"/>
</ConnectAccess>
</IPermission>
<IPermission class="System.Data.OleDb.OleDbPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Data.Odbc.OdbcPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
</PermissionSet>

I presume that in a shared hosting environment there is no practical way to grant KeyContainerPermission without the potential for compromising security between sites? I there was, then it would be great if you could do that!

If that's not an option, then I guess my question becomes

1) Are there any upgrades to my package I could buy that would enable this (other than moving to dedicated hosting which is outside my budget at this stage in the project)

2) Does anyone know of a (cheap/free) managed RSA implementation (i.e. one that doesn't use windows CSP and thus require KeyContainerPermission)

3) Anyone got any better ideas for me - did I miss something???

paulredpath · 21-10-2007, 12:35 PM

Ian,

You are correct, the permissions would not be available on shared hosting I am afraid. The only other option we could offer is dedicated hosting, we don't currently have an 'in-between'.

Not sure if someone else can suggest a better option....?

IanStevenson · 22-10-2007, 06:57 PM

Quote:

Originally Posted by paulredpath

Ian,

You are correct, the permissions would not be available on shared hosting I am afraid. The only other option we could offer is dedicated hosting, we don't currently have an 'in-between'.

Not sure if someone else can suggest a better option....?

Well thanks for getting back to me within 2 hours on a Sunday morning anyway!

Ian

paulredpath · 23-10-2007, 04:08 PM

No problem, if you do find a way round this please let us know.

21-10-2007, 12:35 PM	#2 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	Ian, You are correct, the permissions would not be available on shared hosting I am afraid. The only other option we could offer is dedicated hosting, we don't currently have an 'in-between'. Not sure if someone else can suggest a better option....? __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review! Last edited by Jacob; 21-10-2007 at 03:46 PM.

23-10-2007, 04:08 PM	#4 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	No problem, if you do find a way round this please let us know. __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review!

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: