Re: Using encrypted dB connection string
From: Rick Spiewak (rickspiewak_at_mindspring.com)
Date: 05/22/04
- Next message: Wayne Wengert: "Re: Set Column Width in DataList"
- Previous message: Alphonse Giambrone: "Re: User Account Running at Application_end"
- In reply to: johndoe_at_driver.net: "Re: Using encrypted dB connection string"
- Next in thread: mikeb: "Re: Using encrypted dB connection string"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 22 May 2004 08:47:35 -0400
If you're worried about performance from the decryption, do it at
application startup and store the decrypted connection string in Application
state or the cache.
<johndoe@driver.net> wrote in message
news:ezCNuX9PEHA.3304@TK2MSFTNGP12.phx.gbl...
> I wonder if there is some level at which you have to place a level of
trust.
> For example - taking the Salt versus 2 way encryption.
> Using Salt to one time your passwords for authenticaiton and using a
> generation to reset forgotten passwords
> Using 2-way to Encrypt and Decrypt and email forgotten passwords
>
> If a Hacker were to steal your code and wanted the information he would
> simply either
> a) Steal the Generation Key and use that to generate keys and change
> everybody's password
> b) Steal the Pass phrase and create some code to grab the passes.
> Exzact Same amount of work with the Exact same results.
>
> If you don't trust your own webhost with a "database connection string"
and
> are going to go throught he process of encrypting and decrypting the
> connection string every single time you are going to connect to it.
>
> And how do you add salt to information that you need to retrieve.
> Salt is 1-way. How is a 1-way encryption useful for Something you need to
> use.
>
> And I won't even go down the performance hit one would possibly take if
> one's site began getting busy using 2-way encryption every time one wanted
> to connect to the database. Maybe not an issue if one is not getting alot
of
> hits.
>
>
> "Rick Spiewak" <rickspiewak@mindspring.com> wrote in message
> news:uQS3Yw6PEHA.644@tk2msftngp13.phx.gbl...
> > See the following article:
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp.
> > This describes the use of the DPAPI library and the machine key (or user
> > key, but for your purpose stick to the machine key) to encrypt and
decrypt
> > things like the connection string. Because the key is known by the DPAPI
> > library, you don't need to provide it (or even know it).
> >
> > You can pretty easily follow the article, and compile the library. I've
> > also
> > written a VB.NET "wrapper" which simplifies the use of this library (but
> > still requires it) if you're interested. You will then need to use an
> > ASP.NET page (I've also written that if you like) which you will
> > temporarily
> > install on your web site - the encryption technique used here relies on
> > the
> > machine key for the actual machine on which you are running, so you
can't
> > do
> > this with a Windows app, although you could also do it with a web
service.
> >
> > You can then encrypt the connection string, and put it into the config
> > file,
> > and then decrypt it at runtime. Then, if you're using an ASP.NET page
> > which
> > knows how to encrypt/decrypt using DPAPI, you should remove it from your
> > web
> > site since anyone who could find their way to it could use the
decryption
> > facility!!
> >
> > The only caveat is that if your hosting service replaces the machine
> > you're
> > running on and doesn't maintain the machine key, you'll have to re-do
the
> > encryption steps above.
> >
> > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> > news:ei79Ws3PEHA.832@TK2MSFTNGP09.phx.gbl...
> >> Charlie,
> >>
> >> If you use passwords for user authentication only, do not use
encryption,
> >> use hashing (with salt) instead. If you need to use encryption, in your
> >> particular scenario (Web hosting environment to which you have limited
> >> access), the best you can do is use a tool like CipherLite.NET (see
> >> http://www.obviex.com/cipherlite/). You will need to embed the
passphrase
> >> (to generate encryption key) in your code, so if a hacker gets hold of
> > your
> >> assembly, this passphrase can be easily retrieved unless you obfuscate
> >> the
> >> assembly using a good commercial obfuscator (and even this will not
> >> guarantee security). Unfortunately, you don't have many options. If you
> > find
> >> a better approach, please post it here; there may be other readers in
the
> >> same situation.
> >>
> >> Alek
> >>
> >> "Charlie@CBFC" <charle1@comcast.net> wrote in message
> >> news:O80gzh3PEHA.3232@TK2MSFTNGP11.phx.gbl...
> >> > Hi:
> >> >
> >> > My host will not allow me use a trusted connection or make registry
> >> setting,
> >> > so I'm stuck trying find a way to hide connection string which will
be
> >> > stored in web.config file. If I encrypt string externally, can it be
> > used
> >> > in it's encrypted form to connect to SQL Server? If I decrypt back
to
> >> > string for use in connection string during runtime, I have to supply
a
> >> key.
> >> > If I do that, hacker could use key to break encryption. How do I
> >> > handle
> >> > this? I'll be storing passwords in database and don't want a hacker
to
> >> get
> >> > in.
> >> >
> >> > Thanks,
> >> > Charlie
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Wayne Wengert: "Re: Set Column Width in DataList"
- Previous message: Alphonse Giambrone: "Re: User Account Running at Application_end"
- In reply to: johndoe_at_driver.net: "Re: Using encrypted dB connection string"
- Next in thread: mikeb: "Re: Using encrypted dB connection string"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
