On Tue, 10 Oct 2006 06:30:02 -0700, T3Logic
<T3*****@discus sions.microsoft .comwrote:
>I have tried multiple methods of encrypting the connection string. Everyone
has made it sound easy.
I have encrypted the connection string in the app.config file, code behind,
etc.
Basically try this test.
Create a new app and just add a connection string. Add whatever encryption
that you would like to use. Build the app. Go to the app's bin directory and
rename the exe to .txt. So it will now be app.txt. Open up in notepad, go
to the bottom of the file. You will see your connection string in text all
nice an pretty.
Not secure. Same thing works in vb6.
One answer is not to put the plaintext of your connection string into
your source, put an encrypted version into the source, and decrypt it
when you need it at runtime. Because you are only decrypting at
runtime, the decrypted text will not appear in the .exe file.
e.g:
string cypherPasssword = "not this";
string Decrypt(string cyphertext) {
byte[] key = {0x1D, 0x1E, 0x01, 0x49,
0x06, 0x1A, 0x0C, 0x1E };
byte[] bytes = Encoding.UTF8.G etBytes(cyphert ext);
for (int i = 0; i < cyphertext.Leng th; ++i) {
bytes[i] ^= key[i];
}
return Encoding.UTF8.G etString(bytes) ;
}
void Main() {
Console.Writeli ne("The secret password is: {0}",
Decrypt(cypherP assword));
}
Using an XOR encryption, as I have done here, allows you to pick a
deceptive string for the cyphertext if you want to.
Obfuscation will not hide the sourcecode key from anything more than a
casual examination. Depending on how secure you want it to be you
could put the decryption key in a database or in a separate file so it
does not form part of the source code at all. How much security you
want depends on if you are trying to hide things from Aunt Edna or
from Nasty Megacorp Inc, with lots of money and people to throw at it.
rossum