Solved

.NET Best Practice for SQLclient Connection String - Persist Security Info

Posted on 2014-10-27
4
342 Views
Last Modified: 2014-10-28
When creating an application what is the best method to use for storing a SQL connection string within a .NET application where the password is not listed in the config file?

I have set [Persist Security Info] = 'False', however I have not found an information/examples where the password can be provided back to the .NET application to establish the connect to the Database.  Any ideas?
0
Comment
Question by:Cmitch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 34

Expert Comment

by:sarabande
ID: 40407834
you would store the encrypted password in the connection string or separately (for example in the registry or in your program i availablef it never changes). generally you could use any strong decryption.

alternatively you could use a own encryption phrase which is as long as the password (minimum should be 16 characters for each). the phrase should not occur directly as a string in your code. you would x'or both the password and the phrase characters and then use a reversable transformation for the resulting characters which would move them to printable ascii (code 33 to 126) by using 2 input characters for 3 output characters (see the sample for such a transformation). the result string than can be safely stored.

is it possible to crack the code? yes, if someone get knowledge of the phrase and the transformation algorithm or if the connection string was watched in a debugger after decryption. otherwise it is impossible as you have an individual character for each password character what is the strongest you can do for a reversable encryption.

example:

password: ABCD  (65 66 67 68)
phrase:  z!0K (122 33 48 75)
xor:  (65^122) (66^33) (67^48) (68^75) = 59 99 115 15
octal:  073 143 163 017 
2 to 3: (07 31 43) (16 30 17)
+32:  (39 63 65 48 62 49)
Result: '?B0>1

Open in new window


the reverse operations are simple.

Sara
0
 

Author Comment

by:Cmitch
ID: 40407929
Thanks Sara,

Can advise how the connection string can be updated with the decrypted password to establish the connection to the Database?  

Currently the Connection String is stored within the application settings as a 'Connection String' however this is read-only and can not be modified.  Can you please advise how I can update this or replace the connecting string.
0
 
LVL 34

Accepted Solution

by:
ste5an earned 500 total points
ID: 40407941
The only approach which makes some sense is to use ProtectedConfigurationProvider.
0
 
LVL 34

Expert Comment

by:sarabande
ID: 40408076
using c++ you would store the connection string with a placeholder for the password like "...PWD=<password>". then after decryption you replace the placeholder by the real password.

Sara
0

Featured Post

Create CentOS 7 Newton Packstack Running Keystone

A bug was filed against RDO for the installation of Keystone v3. This guide is designed to walk you through the configuration for using Keystone v3 with Packstack. You will accomplish this using various repos and the Answers file.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question