Solved

Secure connection strings in VB.NET

Posted on 2007-03-22
7
295 Views
Last Modified: 2008-02-01
How can I define a connection string within a web.config file, and how can I encrypt it to keep it secure. The points will be awarded to the person that can provide step by step instructions on how to do this, so that I am able to use the connection string in my VB.NET website. I am learning so please keep this simple.

0
Comment
Question by:Benjamin297
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18775032
There's two ways to approach this:  

enciphering the entire web config so that ASP.NET can read it, but nothing else can (in which case you need to cross-post this question to the ASP.NET group)

or you can generate an encrypted string, load it explicitly from an application setting in web.config, then decrypt it in your application.

You need to pass it to your connection routines (e.g. those encapsulated by SQLConnection) as plain text, and you need to store the encrypted version as plain text (that is, something printable and viewable as characters).  Therefore, you need a printable-text to printable-text cryptograph in order to do this.  All the encryption algorithms that are in libraries in .NET are binary-to-binary, and can yield the dreaded NUL (a character with value of zero) on some cypher calculations, with highly undesirable results.  Thus, there ARE no step-by-step instructions without giving you a text cypher in code.

None of the cyphers I've written professionally are available to you; sorry, my employers and former employers wouldn't like it, and their lawyers might make their displeasure felt in unseemly ways.  That said, you can rig a simple substitution cypher pretty easily:

Dim inChar() as Char = { "A", "B", ..., "Z", "a", "b", ... "z", "0", "1", ..., "9", ",", "'", ..., "_" }

Dim outChar() as Char = { <a different combination of the characters }

Function enCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = inChar(i) Then
            return outChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function deCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = outChar(i) Then
            return inChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function encypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = enCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append(c)
    Next
   
    Return outString.ToString()

End Function


Function decypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = deCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append()
    Next
   
    Return outString.ToString()

End Function

Now, you need to write a standalone program that encyphers your connection string and stores it in a text file or displays it somehow.  Copy the encrypted string into the appropriate place in your web.config.  In your Page_Load method, using this example (http://msdn2.microsoft.com/en-us/library/ms178411.aspx) as the basis for getting your connection string from web.config, these lines:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then

should be replaced with this:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then
        connString = decypherString(connString)

and your deciphered connections string should be displayed.
0
 
LVL 1

Author Comment

by:Benjamin297
ID: 18775185
Thats a great answer, but encrypting the entire file does seem like a good option? Im basically looking for the best practice, I dont particullarly want to include the ciphers in my code? Does VB.NET have any built in procedures to acheive this?

Thanks

Ben
0
 
LVL 18

Expert Comment

by:DarrenD
ID: 18778442
Hi,

Yes there are various different encryption algorithms in .NET

Have a look at this namespace System.Security.Cryptography

It contains algorithms for DES , tripple-DES, AES and others which you can use.

this namespace contains all of the code necessary to perform the encryption and decryption you need. Just look it up in google and you'll get loads of articles

Hope this helps

Darren
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18780085
RE: Darren's reply

These are the binary-to-binary algorithms that I warned about.  They are unsuitable for encrypting a single text string in a text file.  As far as encrypting the entire file, I don't know the answer to that yet.  Have you crossposted that particular aspect of this question to the ASP.NET or Internet groups here yet?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
ID: 19071689
I defined the only two solutions I knew, provided code for a printables-to-printables mapping that could have been used to solve his problem, and gave a referral if that wasn't a desirable solution.  I think this rates a B or C, unless he solved the problem by some other means.  Hopefully, the querent will respond with feedback.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes relatively difficult and non-obvious issues that are likely to arise when creating COM class in Visual Studio and deploying it by professional MSI-authoring tools. It is assumed that the reader is already familiar with the cla…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question