Re: encrypt string in the Web.Config file

From: Dino Chiesa [Microsoft] (dinoch_at_online.microsoft.com)
Date: 11/18/04


Date: Thu, 18 Nov 2004 10:18:39 -0500

Ken,
If you encrypt the connection string, later you will only have to decrypt
it. Which means somewhere you will need to store the key, and you are no
more secure than when you started.

It is not the same as encrypting (or hashing) a password - for that you only
need to go one way. To verify the password later, you apply the same hash
to the candidate password, and compare the hash of the known good password
to the hash of the candidate password. If they match, then the user entered
the correct password.

But connection strings don't work the same way. You need the plaintext
connection string to connect to the database. You cannot use a one-way hash
of the connection string. So if you encrypt in in the store, you will need
to decrypt it later.

Don't despare! There are good options. For a discussion of them, please
see this text:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp

...specifically , the chapter on data access security,
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch12.asp

in short, the best recommendation is to use integrated security. But see
the doc for a full discussion.

-Dino

-- 
Dino Chiesa
Microsoft Developer Division
d i n o c h @  OmitThis . m i c r o s o f t . c o m
"Ken" <Ken@discussions.microsoft.com> wrote in message 
news:A8E207E0-28AE-425F-9700-D93399565184@microsoft.com...
> hi
>
> I want to encrypt the Connection String that is located in the Web.Config 
> file
>
> How Can I do it? 


Relevant Pages

  • X509Certificate hell!
    ... a hash must be generated and signed. ... Encrypt the connection string and store this in the Windows registry in a binary value using the certificate public key. ...
    (microsoft.public.dotnet.security)
  • Re: Encrypting Connection String
    ... > This article will tell you about several possibilitys to store connection ... >> I currently keep my connection string in web.config as clear text. ... >> evils of having to store the encrypt key somewhere (so you can decrypt ... >> one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Encrypting Connection String
    ... This article will tell you about several possibilitys to store connection secrets. ... > I currently keep my connection string in web.config as clear text. ... > going to production I want to encrypt this string and then after retrieving ... > one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Encrypting connection string in app.config
    ... Is there anyway to encrypt the connection string using an algorithm which is ... FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified ...
    (microsoft.public.dotnet.security)
  • Re: Encryption of Connection String
    ... Do you know what level of encryption IS applied to the connection string? ... > to the SQL Server via SQL authentication the password is only ... Thus you might have made all this effort to encrypt the ... > Authentication is always the preferred option unless you are using ...
    (microsoft.public.sqlserver.security)