Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe
tool.
Is it any procedure to obscure the hard coded connection string, or how can
I connect to the database with an encrypted password?
Thanks in advance
Gabor
8  3626 
There are a few possibilities:
1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is integrated.
2) Store the password/connectionstring in an encrypted way in an App.Config
file. This can be done by using the Configuration Management Application
Block from Microsoft http://msdn.microsoft.com/library/de...us/dnbda/html/
cmab.asp
--
Greetz
Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl... Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an
ILDASM.exe tool.
Is it any procedure to obscure the hard coded connection string, or how
can I connect to the database with an encrypted password?
Thanks in advance
Gabor
Using these methods wont protect the tansmission of the password though, I
recommend that your machine or the machines which use the database "Off
Machine" have encrypted transmission between client and host if you are
worried about security.
OHM#
Jan Tielens wrote: There are a few possibilities:
1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is
integrated.
2) Store the password/connectionstring in an encrypted way in an
App.Config file. This can be done by using the Configuration
Management Application Block from Microsoft
http://msdn.microsoft.com/library/de...us/dnbda/html/ cmab.asp
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl... Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an
ILDASM.exe tool.
Is it any procedure to obscure the hard coded connection string, or
how can I connect to the database with an encrypted password?
Thanks in advance
Gabor
Regards - OHM# On**********@BTInternet.com
Thank You for the quick answer.
I'm using VS 2002, and can't migrate to the 2003 at the end of the
development process, so I decided to store the password securily, but if I
write the encryptor/decryptor functions, how to store securily the needed
key?
In all example in the knowledge base articles, the key is hardcoded, and
therefore the problem remain the same, with the ILDASM tool, the hacker can
see it. Does anybody knows a good obfuscator for the VS 2002?
Thanks in advance
Gabor
"Jan Tielens" <ja*@no.spam.please.leadit.be> wrote in message
news:e1**************@TK2MSFTNGP09.phx.gbl... There are a few possibilities:
1) Use an Obfuscator, if you have Visual Studio.NET 2003 one is
integrated.
2) Store the password/connectionstring in an encrypted way in an
App.Config file. This can be done by using the Configuration Management Application
Block from Microsoft
http://msdn.microsoft.com/library/de...us/dnbda/html/ cmab.asp
--
Greetz
Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan
"Gabor" <pr******@axelero.hu> wrote in message
news:Oq**************@TK2MSFTNGP10.phx.gbl... Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an
ILDASM.exe tool.
Is it any procedure to obscure the hard coded connection string, or how
can I connect to the database with an encrypted password?
Thanks in advance
Gabor
Hi Garbor,
You may check the link below for Obfuscators for .NET. http://www.cetus-links.org/oo_dotnet.html
Decompilers & Obfuscators
But why you do not want to use the Windows Authentication in SQL Server
this will be better and more secure solution.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Hi Peter,
Thanks You for the answer.
Our program will be used on the Win 98/ Me and the 2000+ platforms, s we
can't use the Windows authentication.
Thanks
Gabor
----- Original Message -----
From: "Peter Huang" <v-******@online.microsoft.com>
Newsgroups: microsoft.public.dotnet.languages.vb
Sent: Thursday, December 11, 2003 9:17 AM
Subject: Re: How to encrypt the hard coded password while connecting to
MSDE? Hi Garbor,
You may check the link below for Obfuscators for .NET.
http://www.cetus-links.org/oo_dotnet.html
Decompilers & Obfuscators
But why you do not want to use the Windows Authentication in SQL Server
this will be better and more secure solution.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Hi Gabor,
Did my last suggestion of the Obfuscators works for you?
If you have any concern, please post here.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Hi Gabor,
If you do not use the obfuscators , then your code will be ildasmed by some
tool. In this case, even if you use the procedure to encrypt the
connection string, then where do you stored the secret key?
So I think the ultimate goal to secure your application is to use the
obfuscators to prevent others from access your code directly(using ildasm
like tool).
If you have any concern on this issue, please post here.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Peter,
The obfuscators is a great idea, but on the market are very different ones
respective to their capabilities.
The one that includes the control flow obfuscation and the string encryption
(that is elementary, if I hard code the password) konw only the most
expensive ones.
The dotfuscator, that is part of the VS2003, provide these capabilities only
in the payable versions :((
Moreover I'm using the VS2002 yet, because the development was begined with
this version, and migrate at the end of the development process would be
very hazardous.
Thank You for the reply
Gabor
"Peter Huang" <v-******@online.microsoft.com> wrote in message
news:hX**************@cpmsftngxa07.phx.gbl... Hi Gabor,
Did my last suggestion of the Obfuscators works for you?
If you have any concern, please post here.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Carl Hilton |
last post by:
Trying to get Windows AD LDAP working to recognize who is accessing the
page... I have successfully grabbed the user credentials and passed
them off to LDAP, but that required me to pass off a hard...
|
by: Simon Harvey |
last post by:
Hi everyone,
I'm hoping for a little bit of advice on the following. I am in the process
of making a small application that can send, receive and store email
messages. The current area that I am...
|
by: John Morgan |
last post by:
I urgently need tom use SP3a upgrade the instance of SQLServer200
MSDE runing on my local machine but I am having problems in doing so.
My first problem is that when I start the set up procedure...
|
by: Javier Gomez |
last post by:
I have a table with 15.000 records.
How can encrypt all information if after will shown in a form (text
box)decryted ?????
Thanks in advance
Javier Gomez
|
by: ad |
last post by:
I am using MSDE as the database of my program.
At the begin of my program, it must display a form for user to enter the
password
After the user enters the password, I will check the password,...
|
by: Gidi |
last post by:
Hi,
Is there Buid-In fuction in C# that Encrypt and Decrypt strings?
i have a textbox which i'm writing into file, and i want to encrypt it
before writing, i'm not looking for something fancy,...
|
by: googlegroups |
last post by:
Hi, I'm making a javascript program for rolling dice for a roleplaying
game that's played in a forum. The die roll gets generated, gets stored
as text in a hidden form field, and then gets written...
|
by: Lokean |
last post by:
The problem:
Company was bought out and we are bringing everything into complience. Passwords are not secure and do not need to be.(required by software we are using)
Old passwords *may or may...
|
by: Gilles Ganault |
last post by:
Hello
I'd like to encrypt a customer's organization name to use this as
their password to launch our application, and decrypt it within our
VB5 application.
We will then use this information...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
