How to encrypt the hard coded password while connecting to MSDE?

  • Thread starter Thread starter Gabor
  • Start date Start date
G

Gabor

Hi,

I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe
tool.

Is it any procedure to obscure the hard coded connection string, or how can
I connect to the database with an encrypted password?

Thanks in advance

Gabor
 
Using these methods wont protect the tansmission of the password though, I
recommend that your machine or the machines which use the database "Off
Machine" have encrypted transmission between client and host if you are
worried about security.

OHM#

Jan said:
There are a few possibilities:

1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is
integrated.

2) Store the password/connectionstring in an encrypted way in an
App.Config file. This can be done by using the Configuration
Management Application Block from Microsoft
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
cmab.asp
Click to expand...

Regards - OHM# (e-mail address removed)
 
Thank You for the quick answer.

I'm using VS 2002, and can't migrate to the 2003 at the end of the
development process, so I decided to store the password securily, but if I
write the encryptor/decryptor functions, how to store securily the needed
key?

In all example in the knowledge base articles, the key is hardcoded, and
therefore the problem remain the same, with the ILDASM tool, the hacker can
see it. Does anybody knows a good obfuscator for the VS 2002?

Thanks in advance

Gabor
 
Hi Garbor,

You may check the link below for Obfuscators for .NET.
http://www.cetus-links.org/oo_dotnet.html
Decompilers & Obfuscators

But why you do not want to use the Windows Authentication in SQL Server
this will be better and more secure solution.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Hi Peter,

Thanks You for the answer.

Our program will be used on the Win 98/ Me and the 2000+ platforms, s we
can't use the Windows authentication.

Thanks

Gabor

----- Original Message -----
From: "Peter Huang" <[email protected]>
Newsgroups: microsoft.public.dotnet.languages.vb
Sent: Thursday, December 11, 2003 9:17 AM
Subject: Re: How to encrypt the hard coded password while connecting to
MSDE?
 
Hi Gabor,

Did my last suggestion of the Obfuscators works for you?
If you have any concern, please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Peter,

The obfuscators is a great idea, but on the market are very different ones
respective to their capabilities.

The one that includes the control flow obfuscation and the string encryption
(that is elementary, if I hard code the password) konw only the most
expensive ones.

The dotfuscator, that is part of the VS2003, provide these capabilities only
in the payable versions :((

Moreover I'm using the VS2002 yet, because the development was begined with
this version, and migrate at the end of the development process would be
very hazardous.

Thank You for the reply

Gabor
 
Hi Gabor,

If you do not use the obfuscators , then your code will be ildasmed by some
tool. In this case, even if you use the procedure to encrypt the
connection string, then where do you stored the secret key?

So I think the ultimate goal to secure your application is to use the
obfuscators to prevent others from access your code directly(using ildasm
like tool).

If you have any concern on this issue, please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Back
Top