Re: How do I make my database secure?

Even with encryption, the system has to have a key, and in a shared hosting environment, it is going to be extremely difficult to come up with a way to protect that key .... If someone is able to penetrate the system and get direct access to the SQL Server .... then chances are they are going to be able to scan your code to find the encryption keys, or how you are obfuscating them.





Norman Yuan wrote:
Besides what said in other post, when storing sensitive data, such as credit card info, you should not store the data in database as clear text. You should encrypt the data itself before place it into database. And then when your app reads these data, you decrypt them. So that the data is not physically readable by anyone other than your app.

"COHENMARVIN" <cohenmarvin@xxxxxxxxxxx> wrote in message news:1132253676.405124.194210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have a sql server database hosted by an ISP.  It has credit card
fields.  I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
   <add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_One;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string?  Would it be
encrypted in the web.config?  Could some hacker get at the web.config?
Are there any other security measures I could take?  For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin




.

Relevant Pages

  • Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica
    ... I want to deploy a .NET 2.0 Windows Forms application that uses an MS ... The database has been encoded and password ... I need a way to encrypt the connection string, ... The samples I've seen on the Internet use DPAPI and other encryption ...
    (microsoft.public.dotnet.security)
  • Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica
    ... per machine DPAPI encryption of the connection string is probably ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The database has been encoded and password ...
    (microsoft.public.dotnet.security)
  • Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentication
    ... The database has been encoded and password protected to ... I need a way to encrypt the connection string, which includes the password, ... The samples I've seen on the Internet use DPAPI and other encryption schemes ... that seem to require keys, but, unless I didn't see it or don't understand ...
    (microsoft.public.dotnet.security)
  • Re: Newbie - Is this Reasonable?
    ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
    (sci.crypt)
  • 2005-Problem restoring database with encrypted columns to diff ser
    ... I need to start encrypting several fields in a database and have been doing ... OPEN MASTER KEY DECRYPTION BY PASSWORD = 'testAppleA3'; ... ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY; ... encryption by certificate test; ...
    (microsoft.public.sqlserver.security)