Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

.NET Best Practice for SQLclient Connection String - Persist Security Info

Posted on 2014-10-27
4
Medium Priority
?
354 Views
Last Modified: 2014-10-28
When creating an application what is the best method to use for storing a SQL connection string within a .NET application where the password is not listed in the config file?

I have set [Persist Security Info] = 'False', however I have not found an information/examples where the password can be provided back to the .NET application to establish the connect to the Database.  Any ideas?
0
Comment
Question by:Cmitch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 35

Expert Comment

by:sarabande
ID: 40407834
you would store the encrypted password in the connection string or separately (for example in the registry or in your program i availablef it never changes). generally you could use any strong decryption.

alternatively you could use a own encryption phrase which is as long as the password (minimum should be 16 characters for each). the phrase should not occur directly as a string in your code. you would x'or both the password and the phrase characters and then use a reversable transformation for the resulting characters which would move them to printable ascii (code 33 to 126) by using 2 input characters for 3 output characters (see the sample for such a transformation). the result string than can be safely stored.

is it possible to crack the code? yes, if someone get knowledge of the phrase and the transformation algorithm or if the connection string was watched in a debugger after decryption. otherwise it is impossible as you have an individual character for each password character what is the strongest you can do for a reversable encryption.

example:

password: ABCD  (65 66 67 68)
phrase:  z!0K (122 33 48 75)
xor:  (65^122) (66^33) (67^48) (68^75) = 59 99 115 15
octal:  073 143 163 017 
2 to 3: (07 31 43) (16 30 17)
+32:  (39 63 65 48 62 49)
Result: '?B0>1

Open in new window


the reverse operations are simple.

Sara
0
 

Author Comment

by:Cmitch
ID: 40407929
Thanks Sara,

Can advise how the connection string can be updated with the decrypted password to establish the connection to the Database?  

Currently the Connection String is stored within the application settings as a 'Connection String' however this is read-only and can not be modified.  Can you please advise how I can update this or replace the connecting string.
0
 
LVL 35

Accepted Solution

by:
ste5an earned 2000 total points
ID: 40407941
The only approach which makes some sense is to use ProtectedConfigurationProvider.
0
 
LVL 35

Expert Comment

by:sarabande
ID: 40408076
using c++ you would store the connection string with a placeholder for the password like "...PWD=<password>". then after decryption you replace the placeholder by the real password.

Sara
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous article (http://www.experts-exchange.com/Programming/Languages/.NET/.NET_Framework_3.x/A_4362-Serialization-in-NET-1.html) we saw the basics of serialization and how types/objects can be serialized to Binary format. In this blog we wi…
A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question