Help encrypt conn string - no ASP, no server, can't protect keys, can't use Windows Authentication
- From: "David Lee Conley" <conley3500@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Jul 2006 20:03:07 GMT
I've seen several questions posted since October regarding the encryption of
connection strings, but none of them seem to address my particular need.
I want to deploy a .NET 2.0 Windows Forms application that uses an MS Access
2003 database. The database has been encoded and password protected to
prevent direct manipulation. The database is used to store
application-related data, and access is controlled by the application, which
reads information from a user table in the database. The application
provides all authentication and authorization for database activities. The
application can't be used unless the user authenticates with information
stored in the user table in the database.
I need a way to encrypt the connection string, which includes the password,
without hard-coding it in the application.
The application is targeted for Windows XP for use at home, but could also
be used on a machine connected to a network, such as an active directory
domain. This particular app isn't being designed to interact with AD or a
network environment.
The samples I've seen on the Internet use DPAPI and other encryption schemes
that seem to require keys, but, unless I didn't see it or don't understand
it, I don't see a way to generate encryption keys during design time that
can be deployed with any way of protecting the keys.
I can't use Windows Authentication/Integrated Security because, given the
potential environments this application would be used in, there's no
guarantee that the person booting up and signing on the computer is the
actual intended user.
The example I've seen that uses ProtectedData clearly won't work because
once the connection string is encrypted, it can only be decrypted on the
machine it's being used on.
My understanding is that I can't use hashing because it creates a 1-way
encryption, and I need to be able to decrypt it to connect to the database.
I've been able to "encrypt" the connection string using AsnEncodeData and
put the results in the app.config file, and could probably do the same thing
with CryptoAPITransform, but it occurs to me that someone that knows how to
program in .NET could implement they're own AsnEncodeData or
CryptoAPITransform decoders to read the connection string.
Is there any way to encrypt the connection string so it can't be hacked in
this situation?
Or do I need to create a second app that runs as a Custom Action during
deployment that encrypts the connection string for that machine only?
TIA.
Dave
.
- Follow-Ups:
- Prev by Date: Re: System.Text.Encoding help ????
- Next by Date: Re: Help encrypt conn string - no ASP, no server, can't protect keys, can't use Windows Authentication
- Previous by thread: Re: System.Text.Encoding help ????
- Next by thread: Re: Help encrypt conn string - no ASP, no server, can't protect keys, can't use Windows Authentication
- Index(es):
Relevant Pages
|
