Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Secure connection strings in VB.NET

Posted on 2007-03-22
7
Medium Priority
?
314 Views
Last Modified: 2008-02-01
How can I define a connection string within a web.config file, and how can I encrypt it to keep it secure. The points will be awarded to the person that can provide step by step instructions on how to do this, so that I am able to use the connection string in my VB.NET website. I am learning so please keep this simple.

0
Comment
Question by:Benjamin297
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18775032
There's two ways to approach this:  

enciphering the entire web config so that ASP.NET can read it, but nothing else can (in which case you need to cross-post this question to the ASP.NET group)

or you can generate an encrypted string, load it explicitly from an application setting in web.config, then decrypt it in your application.

You need to pass it to your connection routines (e.g. those encapsulated by SQLConnection) as plain text, and you need to store the encrypted version as plain text (that is, something printable and viewable as characters).  Therefore, you need a printable-text to printable-text cryptograph in order to do this.  All the encryption algorithms that are in libraries in .NET are binary-to-binary, and can yield the dreaded NUL (a character with value of zero) on some cypher calculations, with highly undesirable results.  Thus, there ARE no step-by-step instructions without giving you a text cypher in code.

None of the cyphers I've written professionally are available to you; sorry, my employers and former employers wouldn't like it, and their lawyers might make their displeasure felt in unseemly ways.  That said, you can rig a simple substitution cypher pretty easily:

Dim inChar() as Char = { "A", "B", ..., "Z", "a", "b", ... "z", "0", "1", ..., "9", ",", "'", ..., "_" }

Dim outChar() as Char = { <a different combination of the characters }

Function enCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = inChar(i) Then
            return outChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function deCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = outChar(i) Then
            return inChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function encypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = enCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append(c)
    Next
   
    Return outString.ToString()

End Function


Function decypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = deCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append()
    Next
   
    Return outString.ToString()

End Function

Now, you need to write a standalone program that encyphers your connection string and stores it in a text file or displays it somehow.  Copy the encrypted string into the appropriate place in your web.config.  In your Page_Load method, using this example (http://msdn2.microsoft.com/en-us/library/ms178411.aspx) as the basis for getting your connection string from web.config, these lines:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then

should be replaced with this:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then
        connString = decypherString(connString)

and your deciphered connections string should be displayed.
0
 
LVL 1

Author Comment

by:Benjamin297
ID: 18775185
Thats a great answer, but encrypting the entire file does seem like a good option? Im basically looking for the best practice, I dont particullarly want to include the ciphers in my code? Does VB.NET have any built in procedures to acheive this?

Thanks

Ben
0
 
LVL 18

Expert Comment

by:DarrenD
ID: 18778442
Hi,

Yes there are various different encryption algorithms in .NET

Have a look at this namespace System.Security.Cryptography

It contains algorithms for DES , tripple-DES, AES and others which you can use.

this namespace contains all of the code necessary to perform the encryption and decryption you need. Just look it up in google and you'll get loads of articles

Hope this helps

Darren
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18780085
RE: Darren's reply

These are the binary-to-binary algorithms that I warned about.  They are unsuitable for encrypting a single text string in a text file.  As far as encrypting the entire file, I don't know the answer to that yet.  Have you crossposted that particular aspect of this question to the ASP.NET or Internet groups here yet?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 1500 total points
ID: 19071689
I defined the only two solutions I knew, provided code for a printables-to-printables mapping that could have been used to solve his problem, and gave a referral if that wasn't a desirable solution.  I think this rates a B or C, unless he solved the problem by some other means.  Hopefully, the querent will respond with feedback.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK (http://www.microsoft.com/en-us/download/details.aspx?id=27876) for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question