Securing a SQL Connection string [modified]
-
I am writing a Windows app that is specific to a user so we will be connecting to a SQL Server database. I am having the hardest time finding what to do with a connection string in this circumstance. I can encrypt the string and store it in the app.config, I already am doing that but I have to store the key somewhere that I can get it back out. I know that storing straight strings in an assembly is risky since it doesnt take much in order to see them, so what can I do in this situation where this app will be installed on various machines? So to ask a direct question, how can I store the connection string where I can get to it but dont have to store an obvious string in the assembly? If I have it installed into the registry, it is still straight text in my install package, if I encrypt it then the key is still straight text in my assembly, and Ive read some articles about DPAPI but that doesnt sound like exactly what Im looking for. Please help, Cleako
-
I am writing a Windows app that is specific to a user so we will be connecting to a SQL Server database. I am having the hardest time finding what to do with a connection string in this circumstance. I can encrypt the string and store it in the app.config, I already am doing that but I have to store the key somewhere that I can get it back out. I know that storing straight strings in an assembly is risky since it doesnt take much in order to see them, so what can I do in this situation where this app will be installed on various machines? So to ask a direct question, how can I store the connection string where I can get to it but dont have to store an obvious string in the assembly? If I have it installed into the registry, it is still straight text in my install package, if I encrypt it then the key is still straight text in my assembly, and Ive read some articles about DPAPI but that doesnt sound like exactly what Im looking for. Please help, Cleako
As I'm sure you know, there is no such thing as perfect security. In most cases all you need to do is figure out your target audience and what level of security will sufice for your purposes. It usually take to figure out something that will keep *most* hackers out. This is a first and simple step you could take to further secure your connection strings. Encrypt them and instead of storing the key as a string in your code, obfuscate it a little bit. I'm going to give you a simple example of what that means but you can derive and go nuts with it. let's say you have the following key "mypass123".
Dim i As Integer ' A counter Dim str(9) As Byte ' This array will store the ASCII codes of the characters in the key Dim keyLength As Integer ' This will store the keyLength Dim keyString As String ' Variable used to store the key at the end, as a string str(0) = 109 ' ASCII code for "m" str(1) = 121 ' ASCII code for "y" str(2) = 112 ' ASCII code for "p" str(3) = 97 ' ASCII code for "a" str(4) = 115 ' ASCII code for "s" str(5) = 115 ' ASCII code for "s" str(6) = 49 ' ASCII code for "1" str(7) = 50 ' ASCII code for "2" str(8) = 51 ' ASCII code for "3" keyLength = 9 ' manually specify the length of the key ' Load keyString with the key, by appending the characters of the key keyString = "" For i = 0 To keyLength - 1 keyString = keyString + Chr(str(i)) Next i ' Now you can use keyString as the key to unlock your connection string
obviously you can improve the method of obfuscation even further. Here's an example:str(0) = 109 ' ASCII code for "m" str(1) = str(0) + 12 ' ASCII code for "y" str(2) = str(1) - 9 ' ASCII code for "p" str(3) = str(2) - 15 ' ASCII code for "a" str(4) = str(2) + 3 ' ASCII code for "s" str(5) = str(4) ' ASCII code for "s" str(6) = 49 ' ASCII code for "1" str(7) = str(6) + 1 ' ASCII code for "2" str(8) = str(7) + 1 ' ASCII code for "3"
---- www.digitalGetto.com -
As I'm sure you know, there is no such thing as perfect security. In most cases all you need to do is figure out your target audience and what level of security will sufice for your purposes. It usually take to figure out something that will keep *most* hackers out. This is a first and simple step you could take to further secure your connection strings. Encrypt them and instead of storing the key as a string in your code, obfuscate it a little bit. I'm going to give you a simple example of what that means but you can derive and go nuts with it. let's say you have the following key "mypass123".
Dim i As Integer ' A counter Dim str(9) As Byte ' This array will store the ASCII codes of the characters in the key Dim keyLength As Integer ' This will store the keyLength Dim keyString As String ' Variable used to store the key at the end, as a string str(0) = 109 ' ASCII code for "m" str(1) = 121 ' ASCII code for "y" str(2) = 112 ' ASCII code for "p" str(3) = 97 ' ASCII code for "a" str(4) = 115 ' ASCII code for "s" str(5) = 115 ' ASCII code for "s" str(6) = 49 ' ASCII code for "1" str(7) = 50 ' ASCII code for "2" str(8) = 51 ' ASCII code for "3" keyLength = 9 ' manually specify the length of the key ' Load keyString with the key, by appending the characters of the key keyString = "" For i = 0 To keyLength - 1 keyString = keyString + Chr(str(i)) Next i ' Now you can use keyString as the key to unlock your connection string
obviously you can improve the method of obfuscation even further. Here's an example:str(0) = 109 ' ASCII code for "m" str(1) = str(0) + 12 ' ASCII code for "y" str(2) = str(1) - 9 ' ASCII code for "p" str(3) = str(2) - 15 ' ASCII code for "a" str(4) = str(2) + 3 ' ASCII code for "s" str(5) = str(4) ' ASCII code for "s" str(6) = 49 ' ASCII code for "1" str(7) = str(6) + 1 ' ASCII code for "2" str(8) = str(7) + 1 ' ASCII code for "3"
---- www.digitalGetto.comWow, sounds pretty reasonable. Thanks, Cleako