Re: encrypt string in the Web.Config file

From: Dino Chiesa [Microsoft] (dinoch_at_online.microsoft.com)
Date: 11/18/04


Date: Thu, 18 Nov 2004 10:18:39 -0500

Ken,
If you encrypt the connection string, later you will only have to decrypt
it. Which means somewhere you will need to store the key, and you are no
more secure than when you started.

It is not the same as encrypting (or hashing) a password - for that you only
need to go one way. To verify the password later, you apply the same hash
to the candidate password, and compare the hash of the known good password
to the hash of the candidate password. If they match, then the user entered
the correct password.

But connection strings don't work the same way. You need the plaintext
connection string to connect to the database. You cannot use a one-way hash
of the connection string. So if you encrypt in in the store, you will need
to decrypt it later.

Don't despare! There are good options. For a discussion of them, please
see this text:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp

...specifically , the chapter on data access security,
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch12.asp

in short, the best recommendation is to use integrated security. But see
the doc for a full discussion.

-Dino

-- 
Dino Chiesa
Microsoft Developer Division
d i n o c h @  OmitThis . m i c r o s o f t . c o m
"Ken" <Ken@discussions.microsoft.com> wrote in message 
news:A8E207E0-28AE-425F-9700-D93399565184@microsoft.com...
> hi
>
> I want to encrypt the Connection String that is located in the Web.Config 
> file
>
> How Can I do it?