470,624 Members | 2,393 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,624 developers. It's quick & easy.

How to encrypt the hard coded password while connecting to MSDE?

Hi,

I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe
tool.

Is it any procedure to obscure the hard coded connection string, or how can
I connect to the database with an encrypted password?

Thanks in advance

Gabor
Nov 20 '05 #1
8 3484
There are a few possibilities:

1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is integrated.

2) Store the password/connectionstring in an encrypted way in an App.Config
file. This can be done by using the Configuration Management Application
Block from Microsoft
http://msdn.microsoft.com/library/de...us/dnbda/html/
cmab.asp

--
Greetz

Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl...
Hi,

I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe tool.

Is it any procedure to obscure the hard coded connection string, or how can I connect to the database with an encrypted password?

Thanks in advance

Gabor

Nov 20 '05 #2
Using these methods wont protect the tansmission of the password though, I
recommend that your machine or the machines which use the database "Off
Machine" have encrypted transmission between client and host if you are
worried about security.

OHM#

Jan Tielens wrote:
There are a few possibilities:

1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is
integrated.

2) Store the password/connectionstring in an encrypted way in an
App.Config file. This can be done by using the Configuration
Management Application Block from Microsoft
http://msdn.microsoft.com/library/de...us/dnbda/html/ cmab.asp
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl...
Hi,

I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an
ILDASM.exe tool.

Is it any procedure to obscure the hard coded connection string, or
how can I connect to the database with an encrypted password?

Thanks in advance

Gabor


Regards - OHM# On**********@BTInternet.com
Nov 20 '05 #3
Thank You for the quick answer.

I'm using VS 2002, and can't migrate to the 2003 at the end of the
development process, so I decided to store the password securily, but if I
write the encryptor/decryptor functions, how to store securily the needed
key?

In all example in the knowledge base articles, the key is hardcoded, and
therefore the problem remain the same, with the ILDASM tool, the hacker can
see it. Does anybody knows a good obfuscator for the VS 2002?

Thanks in advance

Gabor
"Jan Tielens" <ja*@no.spam.please.leadit.be> wrote in message
news:e1**************@TK2MSFTNGP09.phx.gbl...
There are a few possibilities:

1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is integrated.
2) Store the password/connectionstring in an encrypted way in an App.Config file. This can be done by using the Configuration Management Application
Block from Microsoft
http://msdn.microsoft.com/library/de...us/dnbda/html/ cmab.asp

--
Greetz

Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl...
Hi,

I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an

ILDASM.exe
tool.

Is it any procedure to obscure the hard coded connection string, or how

can
I connect to the database with an encrypted password?

Thanks in advance

Gabor


Nov 20 '05 #4
Hi Garbor,

You may check the link below for Obfuscators for .NET.
http://www.cetus-links.org/oo_dotnet.html
Decompilers & Obfuscators

But why you do not want to use the Windows Authentication in SQL Server
this will be better and more secure solution.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 20 '05 #5
Hi Peter,

Thanks You for the answer.

Our program will be used on the Win 98/ Me and the 2000+ platforms, s we
can't use the Windows authentication.

Thanks

Gabor

----- Original Message -----
From: "Peter Huang" <v-******@online.microsoft.com>
Newsgroups: microsoft.public.dotnet.languages.vb
Sent: Thursday, December 11, 2003 9:17 AM
Subject: Re: How to encrypt the hard coded password while connecting to
MSDE?

Hi Garbor,

You may check the link below for Obfuscators for .NET.
http://www.cetus-links.org/oo_dotnet.html
Decompilers & Obfuscators

But why you do not want to use the Windows Authentication in SQL Server
this will be better and more secure solution.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 20 '05 #6
Hi Gabor,

Did my last suggestion of the Obfuscators works for you?
If you have any concern, please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 20 '05 #7
Hi Gabor,

If you do not use the obfuscators , then your code will be ildasmed by some
tool. In this case, even if you use the procedure to encrypt the
connection string, then where do you stored the secret key?

So I think the ultimate goal to secure your application is to use the
obfuscators to prevent others from access your code directly(using ildasm
like tool).

If you have any concern on this issue, please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 20 '05 #8
Peter,

The obfuscators is a great idea, but on the market are very different ones
respective to their capabilities.

The one that includes the control flow obfuscation and the string encryption
(that is elementary, if I hard code the password) konw only the most
expensive ones.

The dotfuscator, that is part of the VS2003, provide these capabilities only
in the payable versions :((

Moreover I'm using the VS2002 yet, because the development was begined with
this version, and migrate at the end of the development process would be
very hazardous.

Thank You for the reply

Gabor

"Peter Huang" <v-******@online.microsoft.com> wrote in message
news:hX**************@cpmsftngxa07.phx.gbl...
Hi Gabor,

Did my last suggestion of the Obfuscators works for you?
If you have any concern, please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 20 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Carl Hilton | last post: by
5 posts views Thread by Simon Harvey | last post: by
6 posts views Thread by John Morgan | last post: by
10 posts views Thread by Javier Gomez | last post: by
4 posts views Thread by ad | last post: by
8 posts views Thread by Gidi | last post: by
12 posts views Thread by googlegroups | last post: by
4 posts views Thread by Gilles Ganault | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.