CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 4 of 4
  1. #1
    Join Date
    Jun 2001
    Location
    Denmark
    Posts
    453

    Question Encryption of connection strings

    What is the best/easiest way to encrypt a connection string in the app.config file?

    MS has a lot of articles on this, but I'm not sure which is the easiest and which is the best etc.

    What do you guys use?

    The thing is, that we'll be sending a small app out to the users, but we don't want them to be able to abuse the connection string provided in the config file.

    Thanks in advance

    Edit: And we do not want integrated security, because then we'll have to decide who can access the server and how much etc. We want to use a dedicated SQL server user (not windows user)

  2. #2
    Join Date
    Jul 2001
    Location
    Sunny South Africa
    Posts
    11,283

    Re: Encryption of connection strings

    Make use of protected configuration, as explained here :

    http://msdn.microsoft.com/en-us/libr...8VS.80%29.aspx

    Under the heading :
    Encrypting Configuration File Sections Using Protected Configuration

    That seems to be your best option, IMHO

  3. #3
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,626

    Re: Encryption of connection strings

    At best you'll be making it hard for a non-technical person to "abuse the connect string".

    For a half decent hacker, it takes only minutes to set a breakpoint on the database connect/open function and see the decoded connect string, regardless of how complex or secure the encryption algorithm is. Chances are, that there are even DB monitoring tools installed that'll show you what user is being used, so they don't even need special tools.

    If your database itself doesn't allow encrypted connections and you're only wanting a "make it not clearly obvious for everyone" type solution, you can use any encryption you want. a simple xor over each character will obfuscate it enough.

    Obfuscation is easy.
    Security goes way beyond that.

    And some people just don't get the difference. I've seen big names go to extremes in obfuscation to fail at providing security (wel DUH!). And I've seen companies use elaborate security when all they needed was simple obfuscation (it works, but it's a lot of effort to achieve the goal).

  4. #4
    Join Date
    Jul 2001
    Location
    Sunny South Africa
    Posts
    11,283

    Re: Encryption of connection strings

    Quote Originally Posted by OReubens View Post
    At best you'll be making it hard for a non-technical person to "abuse the connect string".

    For a half decent hacker, it takes only minutes to set a breakpoint on the database connect/open function and see the decoded connect string, regardless of how complex or secure the encryption algorithm is. Chances are, that there are even DB monitoring tools installed that'll show you what user is being used, so they don't even need special tools.

    If your database itself doesn't allow encrypted connections and you're only wanting a "make it not clearly obvious for everyone" type solution, you can use any encryption you want. a simple xor over each character will obfuscate it enough.

    Obfuscation is easy.
    Security goes way beyond that.

    And some people just don't get the difference. I've seen big names go to extremes in obfuscation to fail at providing security (wel DUH!). And I've seen companies use elaborate security when all they needed was simple obfuscation (it works, but it's a lot of effort to achieve the goal).
    Great answer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured