Hi Everyone,
Im developing a VS.net application which connects to a SQL server over the internet, i have a SSL certificate running on this server and data between the application and the server is encrypted. which makes me rather happy.
However using .net Reflector i just opend up my code and low and behold there is my conenction String in full sight!!!! which essentially means that anyone can have fun with my database :(
i have read a lot of help pages but nearly everything is in C# which doesnt help me a lot, is there any way to A) not show the connect string at all (without using winows authentication as i have lots of users) Or to encrypt it so that evn if the program was decompiled or memory sniffed that they could not get this Conenction string
Many thanks
Ryan
Secure Connection String? is there such a thing?
HForcelledo
Cool!,
Thats a great start but im unsure how to use it in an application especially the conn strings which im doing through a dataset, i guess what i am concerned about is that the User, pass and other connection string information is encrypted by me before the exe is compied and never travels outside in an un-encrypted state.
Thanks Again
Ryan
Birendra
SecureString class
I hope that it be useful.
Regards.
Tonnie
If you allow the user to connect directly to the database, you will expose the username/password in clear text at some point. It doesn't take a whole lot of expertise for someone to attach a debugger to your application and just wait until the data has been decrypted.
Personally, I would *not* allow users direct access to the database, but rather have the client application connect to a server (possibly IIS), which in turn manages the connection to the database.
The Microsoft patterns and practices web site has a bunch of information about how this type of scenario can be accomplished.
Best regards,
Johan Stenberg
Abhishek172
you can store it but as for encryption thats now up to the developer to do ;-)
http://msdn2.microsoft.com/en-us/library/a65txexh.aspx
http://msdn2.microsoft.com/en-us/library/89211k9b.aspx
I think the last link will be of more interest to you
Trochon
well yes, everytime you connect to the database you would need to decrypt it or store the decrypted value in a temp variable or something then use that to connect to the database.
And yes you would need some key stored somewhere, rather a public key I think. You could (maybe not recommended I don't know, whatever you fancy) create a new encryption key everytime you start up the application instance so when it closes, before closing it completly, regen a key and store that, then use it next time the app starts up and create a new key .... if that makes sense
it is indeed an interesting topic and a very important one too might I add. hopefully I can come up with something else too
GaryMcC
no worries.
using obfusction wouldnt really solve your connectionstring problem but rather make it harder for hackers to look at the code as variable names etc... would be renamed to meaningless jumbled up letters or whatever but still have your strings as is.
So Windows Authentication is out the question....ok.
Next up, whenever you try to connect to the database, instead of storing the details, you may have to prompt for the credentials and use the username/password supplied and append it to the connectionstring, then connect and check any exception (Sql/OleDbException) that could be thrown if you are unable to connect to the database. This would be a reasonable solution as no username/password is stored.
I don't know if you have but try reading up the links I mentioned...ill also see what else I can come up with in terms of say storing and encrypting the credentials.
Well what you could do since I'm on that last subject is to just store encrypted, the username and password, then when time comes to use it, just decrypt it using the same encryption/algorithm used to encrypt it. So just replace the UserID and password properties in the connection string to the decrypted values, same applies if you are getting the input from the user and using it directly
Amanda Jamin
Thank you Ahmed, Its a very interesting topic i must say, and yes i read the links you posted, and they provider for some very interesting theoretical examples, but i guess its very difficut to translate them into practice.
On your last suggestion that is what i was thinking, if i could have the string encrypted and then decrypt it whenever the string is being called, but my question is then wouldnt the decryption key need to be stored in the application as well then kind of defeating the purpose
perhaps some more information and here is a sample connection string i am using:
Data Source=host,port;Initial Catalog=INV;Persist Security Info=True;User ID=systemuser;Password=systemuserpassword;Encrypt=True;TrustServerCertificate=True
So if there was a way to wrap this up encrypt it, and decrypt it on use that would be great, although i ahve a question on that, at what stage does the connection string get used only the first time it conencts or is it used every time a queray is made back to the database
Thanks again!, have an E-Beer on me!
Ryan
jatdex
Ok ive thrown 2 days at this non stop and i still don get a suitabel solution that works. so its time to change track.
Is it possible to store my conenction settings in the app.config file and have that file heavily encrypted
that way i can obfuscate the main exe, and nothave to worry about the connection string getting all garbled up, have the settings in the one file, and i can have it at least semi secure with some half decent encryption on it the MSDN articles i have read on this all refer to asp.net and hwo to secure those files, but does the same apply for vb.net
Surely to goodness there is a common way to develop vb.net applications that access a sql database that dont give up thier SQL connection string
Ahmeds actually given me some great food for thought on some other ideas i have had, but i really need to sort this one with a deadline date rapidly approaching :(
Thanks again in advance, oh to have a hotline to redmond!
Ryan
akram badr
Thanks Again Ahmed, :) another E-Beer for you!
Ok so ive been a good chap and removed the connection settings out of the app and i now have them in my app.config file.
and the application is working just fine and dandy.
So its time to encrypt the app.config file. And the articles above you posted filled me with good information, BUT (and there is always a but..)
The application is to be deleivered out to all and sundry, basically anyone who downloads it, so the decryption routine cant use a private key, the decryption key must reside inside my application (which i can at least obfuscate). all of the articles i have found only have the config file be encrypted and decrypted on the one machine(im guessing as they think its a web config file for IIS) so my quesiton is then, does anyone have a walkthrough for encrypting the app.config file while storing the decryption key inside thier application so that the application can eb deployed anywhere
Thanks again
Ryan
Altug Atik
G'day ahmed, thanks for your help, perhaps if i gave you some more details it may become apparant as to the struggle i am having :)
Firstly, i cannot use Windows Authentication as the application is distrbuted to anyone on the internet, whose account details are in the SQL database. so it would be impossible for me to have windows users for the variable users that come and go.
So this leads me to the first point you make, as i am getting a username/pssword from each user, can that be used in some way as you suggest remebering that my users are variable, they sign up and elave on thier own violition.
Perhaps am i better to use some obfuscation as a form of defense
Who would have thought that havign a simple encrypted connection string would be so difficult
Thanks again for your assitance, its great to chat to someone and bounce ideas off. i think im going a little bit insane :P
Ryan
Carolina Gomes
I am really struggling here, there isnt an example of code that i can really find easy or useful to understand :/ i hate being such a noob!
What i dont undertsand is surely this is a common requirement of people to protect thier connection strings
Thanks again
Ryan
DavidAWinter
Yes, it's true.
Some articles about SecureString and security issues:
Making Strings More Secure
Security Enhancements in the .NET Framework 2.0
I hope that it be useful. If you make progress with this issue, please post here, is a interesting topic :)
Regards.
Ofir Epstein
it is but either:
take a look at this too:
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/
http://msdn2.microsoft.com/en-us/library/ms254947.aspx
__murph__
in .NET 2.0, I believe I have seen a special key entry for connection strings in the application settings, I can't remember where I read but I know that there may well be one for this scenario.
One other thing you could do is encrypt the connection string, find out what the encryption was and store that in your app, then when time comes to use it, decrypt it and use it, so overall you wont have a human readable representation of the connectionstring stored anywhere