Re: Encryption of Connection String

From: Jasper Smith (jasper_smith9@hotmail.com)
Date: 12/30/02 

From: "Jasper Smith" <jasper_smith9@hotmail.com>
Date: Mon, 30 Dec 2002 11:53:03 -0000

Just to add to that, when the Web Server makes the connection
to the SQL Server via SQL authentication the password is only
encrypted with very weak encryption that is extremely simple to
decrypt. Thus you might have made all this effort to encrypt the
conn string in your app but when it actually gets sent across the
wire it is tantamount to cleartext (it's not clear text but if you know
how it's easy to pick out the data and decrypt it). Thus Windows
Authentication is always the preferred option unless you are using
SSL or IPSEC to secure the connection between the Web Server
and SQL Server. 

-- 
HTH
Jasper Smith (SQL Server MVP)
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Gang Guo [MSFT]" <gangguo@online.microsoft.com> wrote in message
news:ta$M2s8rCHA.3108@cpmsftngxa06...
> If the connection string is for the session state server, please check the
> following article.
>
> Q329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session
> State
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q329290
>
> If it is for your application, my advice is to use Windows authentication
> to connect to your SQL server, thus you will not need store the user name
> and password in any form.
>
> If you need use the standard authentication (that means the UID and PWD
are
> needed for the connection string),  as long as you keep your web server
> safe, it doesn't make big difference how you encrypt your connection
> string. If you just don't want to store the connection string as clear
text
> in the config file, you can use some class under
> System.Security.Cryptography to encrypt/decrypt it, and store the key in
> your code/or some registry.
>
> Remember one thing, no matter how your application encryption/store the
> connection string, you must decrypt and restore the UID/PWD to clear text
> before you make the connection. If your web server is not physical
secured,
> someone who are really want to get your connection string just need crack
> the uid/pwd at that time and that will defeat all your effort for
> protection.
>
>
> Regards,
> Gang Guo
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Got .Net? http://www.gotdotnet.com
>

Relevant Pages

  • Re: Encrypting connection string in app.config
    ... In this case there's no web server involved. ... | Is there anyway to encrypt the connection string using an algorithm ... but is there a way to use that to encrypt the connection ...
    (microsoft.public.dotnet.security)
  • Re: connectionstring & web farm
    ... You can encrypt separately on each machine, but you will have to encrypt ... "hard coded" unless you put source on the web server. ... Registry is an option that is more secure than config, ... web applications which all are using the same connection string. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Encrypting/Decrypting Connection String
    ... (How To Store an Encrypted Connection String in the Registry) ... Might I add - there are mixed opinions about web apps accessing registry - ... >>encrypt, then decrypt the connection string in the web.config file? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Encrypting/Decrypting Connection String
    ... (How To Store an Encrypted Connection String in the Registry) ... Might I add - there are mixed opinions about web apps accessing registry - ... >>encrypt, then decrypt the connection string in the web.config file? ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: When not to log
    ... >> never get any probes during the 5-20 minutes of collecting mail and news, ... Connection from unprivileged to my 80? ... Is it impossible for a compromised web server to pass client IPs ...
    (comp.os.linux.security)