After the first Security review was completed on our DotNetNuke website, our security guys sent us a list of issues that we need to fix and on that list is this one requirement:  

“Self-decrypting archives, private keys, and symmetric key stores must be protected with a passphrase.”

Does anyone fully understand what this requirement means?   Below is the full description of this security risk.

Public key cryptography systems operate on the assumption that private keys are protected.  If an attacker can gain access to a private key, the attacker can assume the identity represented by the private key.  Unauthorized disclosure, alteration, or destruction of data may occur if a private key is accessed by an attacker.  Without a passphrase the private key can be accessed and used anonymously by an attacker.  The absence of passphrases will result in a failure to protect confidentiality and integrity.

If anyone has the solution for this, can you share it with me?  Thank you very much.

Hi Sebastian,

Thank you very much for your very fast response. 

We are already hashing our password. This is what we have in our web.config file(please see below).

<machineKey validationKey="myvalidationkey" decryptionKey="mydecryptionkey" decryption="3DES" validation="SHA1" />

I can also validate this by looking at the Password and PasswordSalt column under the aspnet_Membership table.  I just don’t know what the self-decrypting archives are and the use of passphrase to protect them.

Regards,

Marcelo Solangon

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="myConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="1" passwordStrengthRegularExpression="^.*(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\W])(?=.*[\d]).*$" requiresUniqueEmail="true" passwordFormat="Hashed" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database" />