RE: Better security

why is the connection string a secret??? This shouldn't be the case...it is very easy to find SQL Servers on my network - in the simplest case scan every IP address for an open TCP/1433...


-----
Dominick Baier (http://www.leastprivilege.com)

Yes - sort-of. I'm still learning this too.

My question here is person A and B need to put their information in
Web.Config. And they should be encrypted in Web.Config (aspnet_regiis
-pef ...).

The problem is how does person A get their connections tring into
Web.Config and aspnet_regiis run on it? Only person C is allowed
access to the server and to Web.Config. But they are not allowed to
see the unencrypted connection string.

Cubicle Wars - http://www.windwardreports.com/film.htm

"Steven Cheng[MSFT]" wrote:

Hello Dave,

Based on the nature of the question you mentioned, it is somewhat a
pure security & cryptography question.

I'm not sure the exact application code logic in your scenario(such
as the front end, backend and intermediate's processing on data and
the user/role based security strategry), would you further explain
it? For example, how will the three users(A,B,C) work in your
application(or in different application tier).

Generally, for symmetric cryptography, a key problem is the key
distribution and key management. Only the sender and receiver should
own the key. For example, if A and B want to exhange data through
symmetric data encryption, only A,B will share a key. And if they
want to let a 3rd party(such as user C) to maintain the data, then,
they should offer C the encrypted data(rather than plain text).

Please feel free to let me know your actual requirement and concerns.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no
rights.



.

Relevant Pages

  • Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica
    ... per machine DPAPI encryption of the connection string is probably ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The database has been encoded and password ...
    (microsoft.public.dotnet.security)
  • Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica
    ... I want to deploy a .NET 2.0 Windows Forms application that uses an MS ... The database has been encoded and password ... I need a way to encrypt the connection string, ... The samples I've seen on the Internet use DPAPI and other encryption ...
    (microsoft.public.dotnet.security)
  • Re: Help Encrypting Connection String
    ... I have simply 'overridden' the LocalSqlServer connection string to point to my SQL Server DB. ... to encrypt the section and places it into web.config - the config file then refers to the reg key. ... I don't like to hardcode anything, in general, but I'd rather do that with an encryption key than the underlying data itself. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentication
    ... The database has been encoded and password protected to ... I need a way to encrypt the connection string, which includes the password, ... The samples I've seen on the Internet use DPAPI and other encryption schemes ... that seem to require keys, but, unless I didn't see it or don't understand ...
    (microsoft.public.dotnet.security)
  • Re: Use Dpapi with Shared Asp.Net Web Host?
    ... You could then store your public key and the encrypted ... connection string and connect to the database, the user connects using SSL, ... You could also use DPAPI as you suggested, but you should not use a console ... After the encryption ...
    (microsoft.public.dotnet.framework.aspnet.security)