Re: Encryption of Connection String
From: paul reed (prreed@jacksonreed.com)
Date: 01/02/03
- Next message: Mike Beltran: "Re: Windows Authentication"
- Previous message: Sue Hoegemeier: "Re: Help with sp_start_job and xp_sqlagent_proxy_account"
- In reply to: Joubert Nel: "Re: Encryption of Connection String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "paul reed" <prreed@jacksonreed.com> Date: Thu, 2 Jan 2003 06:16:52 -0800
Jasper,
I don't think ANY encryption is applied to the string by default.
Regards,
Paul
"Joubert Nel" <> wrote in message
news:#4NqB7YsCHA.2448@TK2MSFTNGP09...
> Hi Jasper,
>
> Do you know what level of encryption IS applied to the connection string?
I
> cannot find any documentation on this.
>
> Regards,
>
> Joubert.
>
>
> "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
> news:e9i2Po$rCHA.1656@TK2MSFTNGP09...
> > Just to add to that, when the Web Server makes the connection
> > to the SQL Server via SQL authentication the password is only
> > encrypted with very weak encryption that is extremely simple to
> > decrypt. Thus you might have made all this effort to encrypt the
> > conn string in your app but when it actually gets sent across the
> > wire it is tantamount to cleartext (it's not clear text but if you know
> > how it's easy to pick out the data and decrypt it). Thus Windows
> > Authentication is always the preferred option unless you are using
> > SSL or IPSEC to secure the connection between the Web Server
> > and SQL Server.
> >
> > --
> > HTH
> >
> > Jasper Smith (SQL Server MVP)
> >
> > I support PASS - the definitive, global
> > community for SQL Server professionals -
> > http://www.sqlpass.org
> >
> > "Gang Guo [MSFT]" <gangguo@online.microsoft.com> wrote in message
> > news:ta$M2s8rCHA.3108@cpmsftngxa06...
> > > If the connection string is for the session state server, please check
> the
> > > following article.
> > >
> > > Q329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and
> Session
> > > State
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q329290
> > >
> > > If it is for your application, my advice is to use Windows
> authentication
> > > to connect to your SQL server, thus you will not need store the user
> name
> > > and password in any form.
> > >
> > > If you need use the standard authentication (that means the UID and
PWD
> > are
> > > needed for the connection string), as long as you keep your web
server
> > > safe, it doesn't make big difference how you encrypt your connection
> > > string. If you just don't want to store the connection string as clear
> > text
> > > in the config file, you can use some class under
> > > System.Security.Cryptography to encrypt/decrypt it, and store the key
in
> > > your code/or some registry.
> > >
> > > Remember one thing, no matter how your application encryption/store
the
> > > connection string, you must decrypt and restore the UID/PWD to clear
> text
> > > before you make the connection. If your web server is not physical
> > secured,
> > > someone who are really want to get your connection string just need
> crack
> > > the uid/pwd at that time and that will defeat all your effort for
> > > protection.
> > >
> > >
> > > Regards,
> > > Gang Guo
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Got .Net? http://www.gotdotnet.com
> > >
> >
> >
>
>
- Next message: Mike Beltran: "Re: Windows Authentication"
- Previous message: Sue Hoegemeier: "Re: Help with sp_start_job and xp_sqlagent_proxy_account"
- In reply to: Joubert Nel: "Re: Encryption of Connection String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
