Re: Encryption of Connection String
From: Joubert Nel ()
Date: 01/01/03
- Next message: Umachandar Jayachandran: "Re: Record Level Security"
- Previous message: Cindy Gross: "RE: Grant Update on Column problem"
- In reply to: Jasper Smith: "Re: Encryption of Connection String"
- Next in thread: paul reed: "Re: Encryption of Connection String"
- Reply: paul reed: "Re: Encryption of Connection String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joubert Nel" <> Date: Wed, 1 Jan 2003 14:13:01 +0200
Hi Jasper,
Do you know what level of encryption IS applied to the connection string? I
cannot find any documentation on this.
Regards,
Joubert.
"Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
news:e9i2Po$rCHA.1656@TK2MSFTNGP09...
> Just to add to that, when the Web Server makes the connection
> to the SQL Server via SQL authentication the password is only
> encrypted with very weak encryption that is extremely simple to
> decrypt. Thus you might have made all this effort to encrypt the
> conn string in your app but when it actually gets sent across the
> wire it is tantamount to cleartext (it's not clear text but if you know
> how it's easy to pick out the data and decrypt it). Thus Windows
> Authentication is always the preferred option unless you are using
> SSL or IPSEC to secure the connection between the Web Server
> and SQL Server.
>
> --
> HTH
>
> Jasper Smith (SQL Server MVP)
>
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
>
> "Gang Guo [MSFT]" <gangguo@online.microsoft.com> wrote in message
> news:ta$M2s8rCHA.3108@cpmsftngxa06...
> > If the connection string is for the session state server, please check
the
> > following article.
> >
> > Q329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and
Session
> > State
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q329290
> >
> > If it is for your application, my advice is to use Windows
authentication
> > to connect to your SQL server, thus you will not need store the user
name
> > and password in any form.
> >
> > If you need use the standard authentication (that means the UID and PWD
> are
> > needed for the connection string), as long as you keep your web server
> > safe, it doesn't make big difference how you encrypt your connection
> > string. If you just don't want to store the connection string as clear
> text
> > in the config file, you can use some class under
> > System.Security.Cryptography to encrypt/decrypt it, and store the key in
> > your code/or some registry.
> >
> > Remember one thing, no matter how your application encryption/store the
> > connection string, you must decrypt and restore the UID/PWD to clear
text
> > before you make the connection. If your web server is not physical
> secured,
> > someone who are really want to get your connection string just need
crack
> > the uid/pwd at that time and that will defeat all your effort for
> > protection.
> >
> >
> > Regards,
> > Gang Guo
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Got .Net? http://www.gotdotnet.com
> >
>
>
- Next message: Umachandar Jayachandran: "Re: Record Level Security"
- Previous message: Cindy Gross: "RE: Grant Update on Column problem"
- In reply to: Jasper Smith: "Re: Encryption of Connection String"
- Next in thread: paul reed: "Re: Encryption of Connection String"
- Reply: paul reed: "Re: Encryption of Connection String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
