Solved

security

Posted on 2006-11-23
7
144 Views
Last Modified: 2010-04-23
There is a connection string stored in My.Settings but it only has read access to the SQL Server. It will be used just to validate the username and password entered by the operator to those stored in the DB. If validated, a new set of username and password is sent back to the user (but it is not encrypted, and I need to learn some encryption too.) Now a new connection string is created on the fly, using this new username and password. With this new connection string, the program has write access over the database.

I have that design in mind, since I don't want the username and password to be found by reverse engineering the executable. Is the above a good idea, or is it not?
0
Comment
Question by:huji
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Solar_Flare
ID: 18004962
so the username and password will be hardcoded into your application?

if so, why not just encrypt the connectionstring and put the encrypted version of the string into your application,then decrypt it at runtime before making the connection? this way decompiling your app will only reveal the encrypted string.
0
 
LVL 14

Author Comment

by:huji
ID: 18006145
The first username and password (which has READ permission) is hardcoded. From the second connectionstring, only the database IP and catalog name are hardcoded, the rest (new username and password) comes from the SQL Server at runtime.
Your idea of encrypting these strings and decrypting them at runtime is appropriate. What encryption method do you suggest?
0
 
LVL 15

Accepted Solution

by:
Solar_Flare earned 125 total points
ID: 18006152
you can use the system.security.cryptography classes.

this page http://www.codeproject.com/dotnet/SimpleEncryption.asp should help gut you started with some encryption :)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 14

Author Comment

by:huji
ID: 18006552
Well, I meant, should I use those basic methods, or should I use a different method which is not so well known? Does using known methods give a chance of reverse engineering them? (I know I'm doing an overkill, but I'm learning things.)
0
 
LVL 15

Expert Comment

by:JackOfPH
ID: 18017776
0
 
LVL 14

Author Comment

by:huji
ID: 18020728
OK. Now, is the idea of transfering a second username and password over the network a good idea, or not?
0
 
LVL 15

Assisted Solution

by:JackOfPH
JackOfPH earned 125 total points
ID: 18026156
It would be safe when you transffer the username and the password over the network if it is encrypted. But still there is a tendency that the transfer can be captured by other programs.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're writing a .NET application to connect to an Access .mdb database and use pre-existing queries that require parameters, you've come to the right place! Let's say the pre-existing query(qryCust) in Access takes a Date as a parameter and l…
Introduction When many people think of the WebBrowser (http://msdn.microsoft.com/en-us/library/2te2y1x6%28v=VS.85%29.aspx) control, they immediately think of a control which allows the viewing and navigation of web pages. While this is true, it's a…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question