Build secure connection strings

[PillKilla]

Hi guys,

I need a bit of advice. I would like to store secure connection strings somewhere safe in vb.net. How can I build the secure connection strings in what situation and what would be the best??

As I have done the little research and found that the secure connection strings would be encrypted the strings and input the strings in app.config, so I would have to make a change in the app.config

To change from this unprotected app.config:

Code:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
    </configSections>
  <appSettings>
    <add key="connectionString" value=""/>
  </appSettings>
</configuration>

to this protected app.config:

Code:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
    </configSections>
  <appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyName>Rsa Key</KeyName>
    </KeyInfo>
    <CipherData>
    <CipherValue>s82glHiIPyN0h5AtPhsifNJ/8zwG8oEcukgY/RJS4nCeyrkJzgOOxU9aN1gOYpS8E3bHXMSqqbK8Rb9yc5kp/ddVRfguYGBKLA+EBTT+KYsGmiDZb2lB6Pvs66tK18fgs9Gi9i8Lor30I5PzbMLazf5VztehppJ5IkUWAPsIvjg=</CipherValue>
    </CipherData>
  </EncryptedKey>
  </KeyInfo>
  <CipherData>
  <CipherValue>ZnyRkuxCQq3T1yUvpDZ3qOIzEtX1dqoCbv1jHbyTy6V+Ovs8rIfwkN5AWBKWo4WsMBm+GhEfVhqNa4yNoe8ZeRw8zRAVOzymXfiGo1e66VMdJO1Jo6o5/A==</CipherValue>
  </CipherData>
    </EncryptedData>
  </appSettings>
</configuration>

If I wish to get the value, I would have to use those method:

Code:

// Open the app.config file.
Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
// Display the current connection string.
CurrentConnStringTextBox.Text = config.AppSettings.Settings["connectionString"].Value.Trim().ToString();

The code have been built to a guy who known as Nick J. Fessel. I am not too sure if it very secure to use it so. Do anyone know that if the connection strings is secure or not?

If not then, please post the info for the secure connection strings without being found out or make it impossible to get crack will be much appreciate for the info.

Thanks alot!

[jmcilhinney]

Follow the CodeBank link in my signature and check out my Protected Configuration thread.

[PillKilla]

Well, why can't you give me an answer whether if I should store the strings in app.config and if they are safe while I uses protected configuration??

[gep13]

Hey,

Did you even bother to read the thread the John suggested?

http://www.vbforums.com/showthread.php?t=532768

It has lots of details about securing items within your config file.

Bottom line, anything you store within that file is free game to anyone who has access to the file system that your application is running on. So, given enough time, and enough knowledge, it is likely that they might be able to "crack" it. What exactly are you considered about? Is it a username and password that you are embedding into the connection string? If so, why not prompt the user for these credentials when they use your application?

Gary

[PillKilla]

Yes, I have read it but my question is that I wonder if protected configuration would keep the strings in the main app secure?

As I am doing this as I want to protected the strings of username and password for mysql without being crackable. That's main reason I need to know before I do anything, otherwise the information in mysql would be destroy.

Hope you will understand why I have required this vital question.

Thanks alot.

[jmcilhinney]

The data is encrypted. It's as secure as any encrypted data.

If so, why not prompt the user for these credentials when they use your application?

It's a database connection string. Your average user shouldn't know the database credentials. They should be able to interact with the database through the app but they shouldn't be able to just fire up Management Studio and log in.

[gep13]

That is a good point

Gary