• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

secure mysql data from vb.net app

Hi all ehre is my question:

I have a litle app to connect to a remote mysql database wich will be used by some clients, but the data server address, database name, user and pass is inside my app I want to know of someone wuould be able to dissamble my app and get that information to connect or get all the database (and edit it); how safe is thhis? and if theres is a way to block the comand to list all the tables inside the database, so if somebody even when he gets the server addres and user.. he would not be able to list the users. any ideas?
0
carloselfaite
Asked:
carloselfaite
1 Solution
 
Olaf DoschkeSoftware DeveloperCommented:
You described the core of the problem. Any .NET code is easier to decompile than C/C++ code. But in that case to get at a connection string you wouldn't even need to decompile an EXE or DLL, just looking at it with a hex editor will reveal internal string literals, also connection strings.

So you will want to encrypt the connection string. When you have the connection string encrypted with a key, you'd store the key inside a keystore, protected with a passphrase, the passphrase stored... you see where this is going? At the end of this chain, there's some relatively small piece of information that if you obtain it - you can pretty much break the whole chain.

In the end you can only be safe by keeping some secret outside of the executable, eg let users enter a password/key/passphrase, which decrypts the connection string.

That way you somewhat need to trust users not reveal this password, but you also don't give them the info needed to go into the database directly.

Besides that solution trusting users, the end of the key chain may be a hardware security module (HSM) or a dongle. Even that way you trust at least one admin adding the dongle to some server.

All other things depend on security by obfuscation.

An MS SQL Server database offers connections via the windows account authentication. That moves the problem to the security of each users windows account and you can grant or withdraw permission to windows accounts or windows user groups. So you could have a minimum local MSSQL database containing the MySQL connection string or a key for it's decryption and get it from there with a connection string you can leave in your executable unencrypted. The chain of credentials then ends at each users windows account password.

Bye, Olaf.
0
 
carloselfaiteAuthor Commented:
thanks I have done encrypting the conection string with 3des !
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now