Solved

secure mysql data from vb.net app

Posted on 2014-10-07
2
443 Views
Last Modified: 2014-10-08
Hi all ehre is my question:

I have a litle app to connect to a remote mysql database wich will be used by some clients, but the data server address, database name, user and pass is inside my app I want to know of someone wuould be able to dissamble my app and get that information to connect or get all the database (and edit it); how safe is thhis? and if theres is a way to block the comand to list all the tables inside the database, so if somebody even when he gets the server addres and user.. he would not be able to list the users. any ideas?
0
Comment
Question by:carloselfaite
2 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 500 total points
ID: 40367684
You described the core of the problem. Any .NET code is easier to decompile than C/C++ code. But in that case to get at a connection string you wouldn't even need to decompile an EXE or DLL, just looking at it with a hex editor will reveal internal string literals, also connection strings.

So you will want to encrypt the connection string. When you have the connection string encrypted with a key, you'd store the key inside a keystore, protected with a passphrase, the passphrase stored... you see where this is going? At the end of this chain, there's some relatively small piece of information that if you obtain it - you can pretty much break the whole chain.

In the end you can only be safe by keeping some secret outside of the executable, eg let users enter a password/key/passphrase, which decrypts the connection string.

That way you somewhat need to trust users not reveal this password, but you also don't give them the info needed to go into the database directly.

Besides that solution trusting users, the end of the key chain may be a hardware security module (HSM) or a dongle. Even that way you trust at least one admin adding the dongle to some server.

All other things depend on security by obfuscation.

An MS SQL Server database offers connections via the windows account authentication. That moves the problem to the security of each users windows account and you can grant or withdraw permission to windows accounts or windows user groups. So you could have a minimum local MSSQL database containing the MySQL connection string or a key for it's decryption and get it from there with a connection string you can leave in your executable unencrypted. The chain of credentials then ends at each users windows account password.

Bye, Olaf.
0
 
LVL 4

Author Comment

by:carloselfaite
ID: 40369240
thanks I have done encrypting the conection string with 3des !
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been using r1soft Continuous Data Protection (http://www.r1soft.com/linux-cdp/) for many years now with the mySQL Addon and wanted to share a trick I have used several times. For those of us that don't have the luxury of using all transact…
Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now