Solved

Secure connection strings in VB.NET

Posted on 2007-03-22
7
287 Views
Last Modified: 2008-02-01
How can I define a connection string within a web.config file, and how can I encrypt it to keep it secure. The points will be awarded to the person that can provide step by step instructions on how to do this, so that I am able to use the connection string in my VB.NET website. I am learning so please keep this simple.

0
Comment
Question by:Benjamin297
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
Comment Utility
There's two ways to approach this:  

enciphering the entire web config so that ASP.NET can read it, but nothing else can (in which case you need to cross-post this question to the ASP.NET group)

or you can generate an encrypted string, load it explicitly from an application setting in web.config, then decrypt it in your application.

You need to pass it to your connection routines (e.g. those encapsulated by SQLConnection) as plain text, and you need to store the encrypted version as plain text (that is, something printable and viewable as characters).  Therefore, you need a printable-text to printable-text cryptograph in order to do this.  All the encryption algorithms that are in libraries in .NET are binary-to-binary, and can yield the dreaded NUL (a character with value of zero) on some cypher calculations, with highly undesirable results.  Thus, there ARE no step-by-step instructions without giving you a text cypher in code.

None of the cyphers I've written professionally are available to you; sorry, my employers and former employers wouldn't like it, and their lawyers might make their displeasure felt in unseemly ways.  That said, you can rig a simple substitution cypher pretty easily:

Dim inChar() as Char = { "A", "B", ..., "Z", "a", "b", ... "z", "0", "1", ..., "9", ",", "'", ..., "_" }

Dim outChar() as Char = { <a different combination of the characters }

Function enCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = inChar(i) Then
            return outChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function deCypher(Dim c As Char)
    For i As Integer = 0 To inChar.Length - 1
        If c = outChar(i) Then
            return inChar(i)
        End If
    Next
    return CType(0, Char)    'failed to find character
End Function

Function encypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = enCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append(c)
    Next
   
    Return outString.ToString()

End Function


Function decypherString(Dim s as String)
    Dim inAry() as Char = s.ToCharArray()
    Dim outString as New StringBuilder("")

    For i As Integer = 0 To inAry.Length - 1
        Dim c As Char = deCypher(inChar(i))

        If c = CType(0, Char) Then
            Throw New System.Exception("Invalid Encryption")
        End If
        outString.Append()
    Next
   
    Return outString.ToString()

End Function

Now, you need to write a standalone program that encyphers your connection string and stores it in a text file or displays it somehow.  Copy the encrypted string into the appropriate place in your web.config.  In your Page_Load method, using this example (http://msdn2.microsoft.com/en-us/library/ms178411.aspx) as the basis for getting your connection string from web.config, these lines:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then

should be replaced with this:

    connString = rootWebConfig.ConnectionStrings.ConnectionStrings("NorthwindConnectionString")
    If Not (Nothing = connString.ConnectionString) Then
        connString = decypherString(connString)

and your deciphered connections string should be displayed.
0
 
LVL 1

Author Comment

by:Benjamin297
Comment Utility
Thats a great answer, but encrypting the entire file does seem like a good option? Im basically looking for the best practice, I dont particullarly want to include the ciphers in my code? Does VB.NET have any built in procedures to acheive this?

Thanks

Ben
0
 
LVL 18

Expert Comment

by:DarrenD
Comment Utility
Hi,

Yes there are various different encryption algorithms in .NET

Have a look at this namespace System.Security.Cryptography

It contains algorithms for DES , tripple-DES, AES and others which you can use.

this namespace contains all of the code necessary to perform the encryption and decryption you need. Just look it up in google and you'll get loads of articles

Hope this helps

Darren
0
 
LVL 23

Expert Comment

by:Christopher Kile
Comment Utility
RE: Darren's reply

These are the binary-to-binary algorithms that I warned about.  They are unsuitable for encrypting a single text string in a text file.  As far as encrypting the entire file, I don't know the answer to that yet.  Have you crossposted that particular aspect of this question to the ASP.NET or Internet groups here yet?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
Comment Utility
I defined the only two solutions I knew, provided code for a printables-to-printables mapping that could have been used to solve his problem, and gave a referral if that wasn't a desirable solution.  I think this rates a B or C, unless he solved the problem by some other means.  Hopefully, the querent will respond with feedback.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now