Solved

.NET Best Practice for SQLclient Connection String - Persist Security Info

Posted on 2014-10-27
4
309 Views
Last Modified: 2014-10-28
When creating an application what is the best method to use for storing a SQL connection string within a .NET application where the password is not listed in the config file?

I have set [Persist Security Info] = 'False', however I have not found an information/examples where the password can be provided back to the .NET application to establish the connect to the Database.  Any ideas?
0
Comment
Question by:Cmitch
  • 2
4 Comments
 
LVL 33

Expert Comment

by:sarabande
ID: 40407834
you would store the encrypted password in the connection string or separately (for example in the registry or in your program i availablef it never changes). generally you could use any strong decryption.

alternatively you could use a own encryption phrase which is as long as the password (minimum should be 16 characters for each). the phrase should not occur directly as a string in your code. you would x'or both the password and the phrase characters and then use a reversable transformation for the resulting characters which would move them to printable ascii (code 33 to 126) by using 2 input characters for 3 output characters (see the sample for such a transformation). the result string than can be safely stored.

is it possible to crack the code? yes, if someone get knowledge of the phrase and the transformation algorithm or if the connection string was watched in a debugger after decryption. otherwise it is impossible as you have an individual character for each password character what is the strongest you can do for a reversable encryption.

example:

password: ABCD  (65 66 67 68)
phrase:  z!0K (122 33 48 75)
xor:  (65^122) (66^33) (67^48) (68^75) = 59 99 115 15
octal:  073 143 163 017 
2 to 3: (07 31 43) (16 30 17)
+32:  (39 63 65 48 62 49)
Result: '?B0>1

Open in new window


the reverse operations are simple.

Sara
0
 

Author Comment

by:Cmitch
ID: 40407929
Thanks Sara,

Can advise how the connection string can be updated with the decrypted password to establish the connection to the Database?  

Currently the Connection String is stored within the application settings as a 'Connection String' however this is read-only and can not be modified.  Can you please advise how I can update this or replace the connecting string.
0
 
LVL 33

Accepted Solution

by:
ste5an earned 500 total points
ID: 40407941
The only approach which makes some sense is to use ProtectedConfigurationProvider.
0
 
LVL 33

Expert Comment

by:sarabande
ID: 40408076
using c++ you would store the connection string with a placeholder for the password like "...PWD=<password>". then after decryption you replace the placeholder by the real password.

Sara
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question