Solved

security

Posted on 2006-11-23
7
140 Views
Last Modified: 2010-04-23
There is a connection string stored in My.Settings but it only has read access to the SQL Server. It will be used just to validate the username and password entered by the operator to those stored in the DB. If validated, a new set of username and password is sent back to the user (but it is not encrypted, and I need to learn some encryption too.) Now a new connection string is created on the fly, using this new username and password. With this new connection string, the program has write access over the database.

I have that design in mind, since I don't want the username and password to be found by reverse engineering the executable. Is the above a good idea, or is it not?
0
Comment
Question by:huji
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Solar_Flare
ID: 18004962
so the username and password will be hardcoded into your application?

if so, why not just encrypt the connectionstring and put the encrypted version of the string into your application,then decrypt it at runtime before making the connection? this way decompiling your app will only reveal the encrypted string.
0
 
LVL 14

Author Comment

by:huji
ID: 18006145
The first username and password (which has READ permission) is hardcoded. From the second connectionstring, only the database IP and catalog name are hardcoded, the rest (new username and password) comes from the SQL Server at runtime.
Your idea of encrypting these strings and decrypting them at runtime is appropriate. What encryption method do you suggest?
0
 
LVL 15

Accepted Solution

by:
Solar_Flare earned 125 total points
ID: 18006152
you can use the system.security.cryptography classes.

this page http://www.codeproject.com/dotnet/SimpleEncryption.asp should help gut you started with some encryption :)
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 14

Author Comment

by:huji
ID: 18006552
Well, I meant, should I use those basic methods, or should I use a different method which is not so well known? Does using known methods give a chance of reverse engineering them? (I know I'm doing an overkill, but I'm learning things.)
0
 
LVL 15

Expert Comment

by:JackOfPH
ID: 18017776
0
 
LVL 14

Author Comment

by:huji
ID: 18020728
OK. Now, is the idea of transfering a second username and password over the network a good idea, or not?
0
 
LVL 15

Assisted Solution

by:JackOfPH
JackOfPH earned 125 total points
ID: 18026156
It would be safe when you transffer the username and the password over the network if it is encrypted. But still there is a tendency that the transfer can be captured by other programs.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Allow user to hide and show datagridview columns 4 25
Pagebreak issue while printing the aspx page 3 24
write xml in vb.net 2 24
Sql server insert 13 27
This tutorial demonstrates one way to create an application that runs without any Forms but still has a GUI presence via an Icon in the System Tray. The magic lies in Inheriting from the ApplicationContext Class and passing that to Application.Ru…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question