Re: How good an encryption algorithm is this?

From: Bonj (Bonj_at_discussions.microsoft.com)
Date: 11/25/04 

Date: Thu, 25 Nov 2004 04:27:46 -0800

> Let's take yet another step back: _why_ do you need the key constantly
> persisted in software on the client?

Because it's a "password remember" feature for a windows app, to enable the
application to logon to SQL servers that don't use windows authentication, so
that the user of the PC doesn't have to constantly type in the password every
time he uses it.
It's nothing to do with sending an encrypted message down a wire and
decrypting it again at the other end, and I don't control the part of the
software that decides whether or not the password is valid, it must be
enclosed in the connection string.

> What do you need this key for

To log on to SQL server

> , what
> data are you trying to protect

The connection string

> , who needs access to this data

Only the person that stored it (the application stores it when they type it
in for the first time)

> , how do
> you plan to know she is the right person to have access to said data?

Again, please take on board that I don't have control of the part of the
software that decides whether the password is valid. That is SQL server.

> What threats do you envision and are trying to protect against?

Here goes again, then:
Someone being able to produce a "crack program" that enables the layman to
find out his colleague's SQL server password by running the "crack program"
on his computer when he's not looking, the crack program working by reading
my application's registry key.

>
> I highly recommend "Writing Secure Code" by Michael Howard et al [1]. It
> has a chapter on storing secrets securely on Windows machine. All of
> them essentially boil down to trusting Windows authentication: if the
> person managed to log into her Windows account, you assume that she is
> indeed who she says she is.

I think CryptProtectData will enable me to do this.

>
> [1] http://www.amazon.com/exec/obidos/tg/detail/-/0735617228
> --
> With best wishes,
> Igor Tandetnik
>
> With sufficient thrust, pigs fly just fine. However, this is not
> necessarily a good idea. It is hard to be sure where they are going to
> land, and it could be dangerous sitting under them as they fly
> overhead. -- RFC 1925
>
>
>

Relevant Pages

  • Re: Slow booting xp home.
    ... Changing the boot order to boot first from your hard disk might save you a half second, but you won't be able to boot from a CD until you change it back - and the time spent to do that will erase any previous time saved. ... 2- Consider what software you really want to start with Windows and also how you've configured your applications at startup ... Installing and Registering Visual Studio Express Editions Smart Device ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: How good an encryption algorithm is this?
    ... Because it's a "password remember" feature for a windows app, ... That is SQL server. ... Someone being able to produce a "crack program" that enables the layman to ...
    (microsoft.public.vc.language)
  • Re: Slow booting xp home.
    ... Thirty seconds to boot Windows? ... I read somewhere that Microsoft suggest 30s boot up on xp home, I have seen videos on youtube of 8s boot up on xp, I'd be delighted with 30s and happy just to get below a minute. ... Installing and Registering Visual Studio Express Editions Smart Device ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Remote connection failed
    ... If you are going over a remote connection or are not logging ... into the domain where SQL Server is then no, Windows ... authentication won't work. ...
    (microsoft.public.sqlserver.connect)
  • Re: Security Update for SQL Server 2005 Service Pack 2 (KB948109)
    ... If you're running Windows Live Mail, sign out then close the application. ... Understand that you can open a free support incident about your issues: ... When you call, clearly state that your problem is related to a Security Update and cite the update's KB number. ... SQL Server Database Services 2005 ENU SP2 ...
    (microsoft.public.windowsupdate)