• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

Secure connection strings in VB.NET

How can I define a connection string within a web.config file, and how can I encrypt it to keep it secure. The points will be awarded to the person that can provide step by step instructions on how to do this, so that I am able to use the connection string in my VB.NET website. I am learning so please keep this simple.

0
Benjamin297
Asked:
Benjamin297
  • 3
1 Solution
 
Christopher KileCommented:
There's two ways to approach this:  

enciphering the entire web config so that ASP.NET can read it, but nothing else can (in which case you need to cross-post this question to the ASP.NET group)

or you can generate an encrypted string, load it explicitly from an application setting in web.config, then decrypt it in your application.

You need to pass it to your connection routines (e.g. those encapsulated by SQLConnection) as plain text, and you need to store the encrypted version as plain text (that is, something printable and viewable as characters).  Therefore, you need a printable-text to printable-text cryptograph in order to do this.  All the encryption algorithms that are in libraries in .NET are binary-to-binary, and can yield the dreaded NUL (a character with value of zero) on some cypher calculations, with highly undesirable results.  Thus, there ARE no step-by-step instructions without giving you a text cypher in code.

None of the cyphers I've written professionally are available to you; sorry, my employers and former employers wouldn't like it, and their lawyers might make their displeasure felt in unseemly ways.  That said, you can rig a simple substitution cypher pretty easily:

Dim inChar() as Char = { "A", "B", ..., "Z", "a", "b", ... "z", "0", "1", ..., "9", ",", "'", ..., "_" }

Dim outChar() as Char = { <a different combination of the characters }

Function enCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = inChar(i) Then
            return outChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function deCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = outChar(i) Then
            return inChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function encypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = enCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append(c)
    Next
   
    Return outString.ToString()

End Function


Function decypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = deCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append()
    Next
   
    Return outString.ToString()

End Function

Now, you need to write a standalone program that encyphers your connection string and stores it in a text file or displays it somehow.  Copy the encrypted string into the appropriate place in your web.config.  In your Page_Load method, using this example (http://msdn2.microsoft.com/en-us/library/ms178411.aspx) as the basis for getting your connection string from web.config, these lines:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then

should be replaced with this:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then
        connString = decypherString(connString)

and your deciphered connections string should be displayed.
0
 
Benjamin297Author Commented:
Thats a great answer, but encrypting the entire file does seem like a good option? Im basically looking for the best practice, I dont particullarly want to include the ciphers in my code? Does VB.NET have any built in procedures to acheive this?

Thanks

Ben
0
 
DarrenDCommented:
Hi,

Yes there are various different encryption algorithms in .NET

Have a look at this namespace System.Security.Cryptography

It contains algorithms for DES , tripple-DES, AES and others which you can use.

this namespace contains all of the code necessary to perform the encryption and decryption you need. Just look it up in google and you'll get loads of articles

Hope this helps

Darren
0
 
Christopher KileCommented:
RE: Darren's reply

These are the binary-to-binary algorithms that I warned about.  They are unsuitable for encrypting a single text string in a text file.  As far as encrypting the entire file, I don't know the answer to that yet.  Have you crossposted that particular aspect of this question to the ASP.NET or Internet groups here yet?
0
 
Christopher KileCommented:
I defined the only two solutions I knew, provided code for a printables-to-printables mapping that could have been used to solve his problem, and gave a referral if that wasn't a desirable solution.  I think this rates a B or C, unless he solved the problem by some other means.  Hopefully, the querent will respond with feedback.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now