First let me say, if you want real security, you will have to pay for it,
most of the low cost providers will let you have it but will charge you for
it. Otherwise you me need to find another provider. The same people that can
get at your web.config to read the password to your database will likely
already have access to your database with out your password. (Did that make
sense? It's so hard to tell)
That being said, I am in the same situation with my provider, so at the risk
of being chastised, here is what I have done: (I don't store any of this in
the Web.config, I use XML serialization to store it in it's own XML file)
I have a class that handles the database connection string, and it stores
the critical data (user name and password in an encrypted byte array) I have
overridden ToString() to give me the whole connection string when I ask for
it with the parts un-encrypted. Some thing like this:
public class DatabaseConnection
{
private byte[] _userid;
private byte[] _password;
public byte[] UserID
{
get { return _userid; }
set { _userid = value; }
}
public byte[] Password
{
get { return _password; }
set { _password = value; }
}
public string SetUserID(string user)
{
UserID = Globals.Encrypt(user);
}
private string GetUserID()
{
return Globals.Decrypt(_userid);
}
public string SetPassword(string pass)
{
Password = Globals.Encrypt(pass);
}
private string GetPassword()
{
return Globals.Decrypt(_password);
}
public override string ToString()
{
return string.Format("user id={0}; password={1}; blah blah blah",
GetUserId(), GetPassword());
}
}
then Globals looks like this:
public class Globals
{
public static byte[] Encrypt(string s)
{
System.Text.ASCIIEncoding encoder = new System.Text.ASCIIEncoding();
return EncryptByteArray(encoder.GetBytes(s));
}
public static string Decrypt(byte[] b)
{
System.Text.ASCIIEncoding encoder = new System.Text.ASCIIEncoding();
byte[] result = DecryptByteArray(b);
return encoder.GetString(result);
}
// Encryption keys, fill in with byte values (0-255)
private static byte[] RC2Key = {0x0,0x0,0x0,0x0,0xe0,0x0,0x0,0x0}; //
<==Make up your own
private static byte[] RC2IV = {0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0}; //
<==Make up your own
private static byte[] EncryptByteArray(byte[] value)
{
System.Security.Cryptography.RC2CryptoServiceProvi der crypto = new
System.Security.Cryptography.RC2CryptoServiceProvi der();
byte[] buffer;
System.Security.Cryptography.CryptoStream clearTextStream;
System.IO.MemoryStream cypherTextStream;
byte[] result;
buffer = value;
cypherTextStream = new System.IO.MemoryStream();
clearTextStream = new
System.Security.Cryptography.CryptoStream(cypherTe xtStream,
crypto.CreateEncryptor(RC2Key, RC2IV),
System.Security.Cryptography.CryptoStreamMode.Writ e);
clearTextStream.Write(buffer, 0, buffer.Length);
clearTextStream.FlushFinalBlock();
result = cypherTextStream.ToArray();
return result;
}
private static byte[] DecryptByteArray(byte[] value)
{
System.Security.Cryptography.RC2CryptoServiceProvi der crypto = new
System.Security.Cryptography.RC2CryptoServiceProvi der();
byte[] buffer;
System.Security.Cryptography.CryptoStream cypherTextStream;
System.IO.MemoryStream clearTextStream;
byte[] result;
buffer = value;
clearTextStream = new System.IO.MemoryStream();
cypherTextStream = new
System.Security.Cryptography.CryptoStream(clearTex tStream,
crypto.CreateDecryptor(RC2Key, RC2IV),
System.Security.Cryptography.CryptoStreamMode.Writ e);
cypherTextStream.Write(buffer, 0, buffer.Length);
cypherTextStream.FlushFinalBlock();
result = clearTextStream.ToArray();
return result;
}
}
There it is, FWIW.
Brian W
As the risk of being chastized here it wat
"Charlie@CBFC" <ch*****@comcast.net> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi:
I'm storing my dB connection in web.config file. Since it will be easily
read by opening file, what is a good way to secure it?
Thanks,
Charlie
