Re: Using encrypted dB connection string

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Rick Spiewak (rickspiewak_at_mindspring.com)
Date: 05/22/04 

Date: Fri, 21 May 2004 23:25:02 -0400

See the following article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp.
This describes the use of the DPAPI library and the machine key (or user
key, but for your purpose stick to the machine key) to encrypt and decrypt
things like the connection string. Because the key is known by the DPAPI
library, you don't need to provide it (or even know it).

You can pretty easily follow the article, and compile the library. I've also
written a VB.NET "wrapper" which simplifies the use of this library (but
still requires it) if you're interested. You will then need to use an
ASP.NET page (I've also written that if you like) which you will temporarily
install on your web site - the encryption technique used here relies on the
machine key for the actual machine on which you are running, so you can't do
this with a Windows app, although you could also do it with a web service.

You can then encrypt the connection string, and put it into the config file,
and then decrypt it at runtime. Then, if you're using an ASP.NET page which
knows how to encrypt/decrypt using DPAPI, you should remove it from your web
site since anyone who could find their way to it could use the decryption
facility!!

The only caveat is that if your hosting service replaces the machine you're
running on and doesn't maintain the machine key, you'll have to re-do the
encryption steps above.

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:ei79Ws3PEHA.832@TK2MSFTNGP09.phx.gbl...
> Charlie,
>
> If you use passwords for user authentication only, do not use encryption,
> use hashing (with salt) instead. If you need to use encryption, in your
> particular scenario (Web hosting environment to which you have limited
> access), the best you can do is use a tool like CipherLite.NET (see
> http://www.obviex.com/cipherlite/). You will need to embed the passphrase
> (to generate encryption key) in your code, so if a hacker gets hold of
your
> assembly, this passphrase can be easily retrieved unless you obfuscate the
> assembly using a good commercial obfuscator (and even this will not
> guarantee security). Unfortunately, you don't have many options. If you
find
> a better approach, please post it here; there may be other readers in the
> same situation.
>
> Alek
>
> "Charlie@CBFC" <charle1@comcast.net> wrote in message
> news:O80gzh3PEHA.3232@TK2MSFTNGP11.phx.gbl...
> > Hi:
> >
> > My host will not allow me use a trusted connection or make registry
> setting,
> > so I'm stuck trying find a way to hide connection string which will be
> > stored in web.config file. If I encrypt string externally, can it be
used
> > in it's encrypted form to connect to SQL Server? If I decrypt back to
> > string for use in connection string during runtime, I have to supply a
> key.
> > If I do that, hacker could use key to break encryption. How do I handle
> > this? I'll be storing passwords in database and don't want a hacker to
> get
> > in.
> >
> > Thanks,
> > Charlie
> >
> >
> >
>
>

Relevant Pages

  • Re: Use Dpapi with Shared Asp.Net Web Host?
    ... You could then store your public key and the encrypted ... connection string and connect to the database, the user connects using SSL, ... You could also use DPAPI as you suggested, but you should not use a console ... After the encryption ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using encrypted dB connection string
    ... I don't think that using DPAPI with machine key gives you any particular ... After all any application running on the same server will be able ... than hiding encryption key in the source code (since you ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Help Encrypting Connection String
    ... I've seen DPAPI examples before, but many have been confusing or incomplete. ... so that I can invoke the encryption code remotely. ... > you mean classic ASP?? ... >> have simply 'overridden' the LocalSqlServer connection string to point ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Help Encrypting Connection String
    ... there is a command line tool called aspnet_regiis that can do the encryption. ... It also looks like DPAPI uses a machine specific key, ... I have simply 'overridden' the LocalSqlServer connection string to point to my SQL Server DB. ... There are a lot of wrappers out there, e.g. http://www.leastprivilege.com/DPAPITools.aspx the tool you are referring to is called aspnet_setreg - it uses DPAPI to encrypt the section and places it into web.config - the config file then refers to the reg key. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)?
    ... Use DPAPI to Encrypt and Decrypt Data ... The code below demonstrates how to call Data Protection API (DPAPI) ... In addition to encryption and decryption, ... public static string Encrypt ...
    (microsoft.public.dotnet.framework.aspnet.security)