-
September 3rd, 2013, 03:19 AM
#1
Encryption of connection strings
What is the best/easiest way to encrypt a connection string in the app.config file?
MS has a lot of articles on this, but I'm not sure which is the easiest and which is the best etc.
What do you guys use?
The thing is, that we'll be sending a small app out to the users, but we don't want them to be able to abuse the connection string provided in the config file.
Thanks in advance
Edit: And we do not want integrated security, because then we'll have to decide who can access the server and how much etc. We want to use a dedicated SQL server user (not windows user)
-
September 6th, 2013, 01:42 AM
#2
Re: Encryption of connection strings
Make use of protected configuration, as explained here :
http://msdn.microsoft.com/en-us/libr...8VS.80%29.aspx
Under the heading :
Encrypting Configuration File Sections Using Protected Configuration
That seems to be your best option, IMHO
-
September 6th, 2013, 06:59 AM
#3
Re: Encryption of connection strings
At best you'll be making it hard for a non-technical person to "abuse the connect string".
For a half decent hacker, it takes only minutes to set a breakpoint on the database connect/open function and see the decoded connect string, regardless of how complex or secure the encryption algorithm is. Chances are, that there are even DB monitoring tools installed that'll show you what user is being used, so they don't even need special tools.
If your database itself doesn't allow encrypted connections and you're only wanting a "make it not clearly obvious for everyone" type solution, you can use any encryption you want. a simple xor over each character will obfuscate it enough.
Obfuscation is easy.
Security goes way beyond that.
And some people just don't get the difference. I've seen big names go to extremes in obfuscation to fail at providing security (wel DUH!). And I've seen companies use elaborate security when all they needed was simple obfuscation (it works, but it's a lot of effort to achieve the goal).
-
September 6th, 2013, 07:55 AM
#4
Re: Encryption of connection strings
Originally Posted by OReubens
At best you'll be making it hard for a non-technical person to "abuse the connect string".
For a half decent hacker, it takes only minutes to set a breakpoint on the database connect/open function and see the decoded connect string, regardless of how complex or secure the encryption algorithm is. Chances are, that there are even DB monitoring tools installed that'll show you what user is being used, so they don't even need special tools.
If your database itself doesn't allow encrypted connections and you're only wanting a "make it not clearly obvious for everyone" type solution, you can use any encryption you want. a simple xor over each character will obfuscate it enough.
Obfuscation is easy.
Security goes way beyond that.
And some people just don't get the difference. I've seen big names go to extremes in obfuscation to fail at providing security (wel DUH!). And I've seen companies use elaborate security when all they needed was simple obfuscation (it works, but it's a lot of effort to achieve the goal).
Great answer
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|