Secure connection strings in VB.NET

How can I define a connection string within a web.config file, and how can I encrypt it to keep it secure. The points will be awarded to the person that can provide step by step instructions on how to do this, so that I am able to use the connection string in my VB.NET website. I am learning so please keep this simple.

LVL 1
Benjamin297Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Christopher KileCommented:
There's two ways to approach this:  

enciphering the entire web config so that ASP.NET can read it, but nothing else can (in which case you need to cross-post this question to the ASP.NET group)

or you can generate an encrypted string, load it explicitly from an application setting in web.config, then decrypt it in your application.

You need to pass it to your connection routines (e.g. those encapsulated by SQLConnection) as plain text, and you need to store the encrypted version as plain text (that is, something printable and viewable as characters).  Therefore, you need a printable-text to printable-text cryptograph in order to do this.  All the encryption algorithms that are in libraries in .NET are binary-to-binary, and can yield the dreaded NUL (a character with value of zero) on some cypher calculations, with highly undesirable results.  Thus, there ARE no step-by-step instructions without giving you a text cypher in code.

None of the cyphers I've written professionally are available to you; sorry, my employers and former employers wouldn't like it, and their lawyers might make their displeasure felt in unseemly ways.  That said, you can rig a simple substitution cypher pretty easily:

Dim inChar() as Char = { "A", "B", ..., "Z", "a", "b", ... "z", "0", "1", ..., "9", ",", "'", ..., "_" }

Dim outChar() as Char = { <a different combination of the characters }

Function enCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = inChar(i) Then
            return outChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function deCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = outChar(i) Then
            return inChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function encypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = enCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append(c)
    Next
   
    Return outString.ToString()

End Function


Function decypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = deCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append()
    Next
   
    Return outString.ToString()

End Function

Now, you need to write a standalone program that encyphers your connection string and stores it in a text file or displays it somehow.  Copy the encrypted string into the appropriate place in your web.config.  In your Page_Load method, using this example (http://msdn2.microsoft.com/en-us/library/ms178411.aspx) as the basis for getting your connection string from web.config, these lines:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then

should be replaced with this:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then
        connString = decypherString(connString)

and your deciphered connections string should be displayed.
0
Benjamin297Author Commented:
Thats a great answer, but encrypting the entire file does seem like a good option? Im basically looking for the best practice, I dont particullarly want to include the ciphers in my code? Does VB.NET have any built in procedures to acheive this?

Thanks

Ben
0
DarrenSenior Software EngineerCommented:
Hi,

Yes there are various different encryption algorithms in .NET

Have a look at this namespace System.Security.Cryptography

It contains algorithms for DES , tripple-DES, AES and others which you can use.

this namespace contains all of the code necessary to perform the encryption and decryption you need. Just look it up in google and you'll get loads of articles

Hope this helps

Darren
0
Christopher KileCommented:
RE: Darren's reply

These are the binary-to-binary algorithms that I warned about.  They are unsuitable for encrypting a single text string in a text file.  As far as encrypting the entire file, I don't know the answer to that yet.  Have you crossposted that particular aspect of this question to the ASP.NET or Internet groups here yet?
0
Christopher KileCommented:
I defined the only two solutions I knew, provided code for a printables-to-printables mapping that could have been used to solve his problem, and gave a referral if that wasn't a desirable solution.  I think this rates a B or C, unless he solved the problem by some other means.  Hopefully, the querent will respond with feedback.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.