Application Security
From: Nathan Bullock (nathan_kent_bullock_at_yahoo.ca)
Date: 08/26/03
- Next message: Alek Davis: "Re: Process running as a specific user."
- Previous message: Andrew: "Re: Obfuscators"
- Next in thread: Alek Davis: "Re: Application Security"
- Reply: Alek Davis: "Re: Application Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Aug 2003 15:43:22 -0700
Hi everyone,
I am trying to figure out how to create a secure application. Here is
the situation:
SQL Server database
.NET (C#) clients
There is a global SQL Server userid and password.
In the database we store an application specific user id and SHA-1
encoded password.
Currently this SQL Server password is just stored in the registry, it
is encrypted in some fashion. This allows the application to connect
to SQL then the application checks whether this user is actually
allowed to be using the application and what access they have within
the application.
Anyways here is the problem: if a user has access to the bytecode of
the application then they could always decompile it, determine how we
are encrypting the SQL Server password, and login to SQL Server giving
them full access to the information in the system. Due to this
security problem it doesn't really matter how strongly encrypted there
application password is. Who knows what the proper way to handle
security in this sort of application.
Hopefully this is explained okay.
Nathan
- Next message: Alek Davis: "Re: Process running as a specific user."
- Previous message: Andrew: "Re: Obfuscators"
- Next in thread: Alek Davis: "Re: Application Security"
- Reply: Alek Davis: "Re: Application Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
