Re: Storing connection strings

From: Ralph (msnews.20.nt_consulting32_at_spamgourmet.com)
Date: 02/27/05 

Date: Sat, 26 Feb 2005 22:49:21 -0600

"LucasC" <msdn@rmya.com.ar> wrote in message
news:DEFB4C3F-DD20-473F-B8F8-7F1CF8D4C977@microsoft.com...
> Hi,
> I'd like to get some information about the different options to store and
> manage connection strings to be used by a VB 6.0 application in a secure
way.
> Any idea or good article?
>
> Thanks a lot
> --
> LucasC

Well this posting should draw a host of opinions <g>

An answer will depend heavily on who you are trying to protect it from, how
the app is distributed, and what OS you are running on. For example, many
exotic, seemly safe, security measures will fail miserably once an attacker
has physical access to the box, like the Encrypted File System on Win2k is
easily defeated, but very secure on an XP box. (To the point you can
actually lock yourself out forever if you are not careful. <g>) However, EFS
is relatively secure from remote or guarded user access.

Googling will turn up a ton of suggestions. To help in your search, the
basic ways, singularly or in combination, are...

1) Using the Data Protection API (DPAPI) provided by your OS. Search for
CryptProtectData and CryptUnProtectData.
[Which brings up the sub-topic - storing your keys on the box (machine
store) or by user (profiles).]

2) Use an .udl file, or .ini or text file, protected by the EFS or ACLs. You
might also encrypt the key value.

3) Use the registry, again perhaps encrypted and the keys protected by ACLs.

4) Using the COM+ catalog, if you are using MTS or other COM+ services.
Search for "COM+ Object Constructor Strings".

5) Don't worry about connection strings and instead require strong
login/authentication to the data server. ie, keep password out of the string
and force a manual login.

Personally I use encrypted strings placed in the Registry. I attach the
private encrypt keys to users profiles/logins, and guard the Registry with
ACLs. I also occasionally use .udl's placed in 'secure' locations.

hth
-ralph

Relevant Pages

  • Re: Cryptographic protocols, again
    ... decrypted (to prove that I really did encrypt all thirty-six dice rolls). ... Server picks from a random set of strings ... Encrypt the 36 strings with your own private key AND ...
    (rec.games.backgammon)
  • Re: Cross platform password string encryption
    ... few people use Delphi or C# compared to C ... The consuming code doesn't use the library code in the right way. ... a raw key directly to the encrypt routine. ... The consuming code is trying to pass strings to the routines and ...
    (sci.crypt)
  • Re: One-Time Pads [was: Re: Help: Randomizing a List of Numbers]
    ... > never repeat the use of one of those strings then throw away the key. ... Checking my home machine, I see the following: ... if I were to use a one-time pad to encrypt traffic ... A CD a month, or even a CD a week, would not be a distribution nightmare. ...
    (sci.crypt)
  • Re: Newbie data size encryption questions
    ... amount of data that I can encrypt without the system being insecure? ... For example, if i wanted to encrypts strings of say 5 or 10 characters, ... bytes for AES] and other modes like CTR would need an IV. ...
    (sci.crypt)
  • Re: Linux System Users Login/Password?
    ... So far I've managed to pull all of the shadow password strings out and into a database, but is there any way of 'matching' the encrypted strings if you are given the plain text version, like with md5? ... PHP has a function named 'crypt' that will encrypt strings in the same way the password is encrypted into the password file. ... Do you really want to pull all the shadow entries into a database? ...
    (comp.lang.php)