I am using an OdbcConnection to communicate with a DB2 database ex.
using (var conn = new ODBCConnection("Database=Database;UID=user;PWD=password"))
{
conn.Open();
…
}
I am worried that people with access to the machine may try to steal the database credentials. I have obfuscated the code but is it possible to use a packetsniffer to get the connection string? If so is there a way to protect against this?
If someone has access to your assembly or executable, it's possible to use ildasm to read the intermediate language that C# gets compiled into (CIL). Even if you obfuscate your code, it's pretty easy to retrieve String literals.
Obfuscators will typically encrypt String literals, and inject an extra method call to decrypt them before they are used. That means it's possible to get the implementation and keys of the decryption routine, and run them yourself.
So, to answer your question, you don't even need to use a packet sniffer to get the creds, you can do it by just examining the IL.
you can store your connecrion string in App.Config/Web.Config then you can encrypt your connection string
http://www.asp.net/web-forms/tutorials/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-cs
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
Related
Recently I am working on an .Net project. We used EF to handle SQL, when we make an installer of the program, we realize that app.config is visible which mean that the connection string is not safe.
I am looking for a way to add connection string (or maybe secret code and username) to the EF so that the connection string is not visible.
Something like change old code from this
Using db As ConnectDb.adoSentoEntities= New ConnectDb.adoSentoEntities
'TODO
End Using
to this
Using db As ConnectDb.adoSentoEntities= New ConnectDb.adoSentoEntities(ConnectionString)
'TODO
End Using
But since we used connect code to SQL all over the place, changing every single line of code is not possible. There is a way I only need to add connection string once?
You’d be better off encrypting the connection string section in the app.config. You wouldn’t need to make any changes.
Storing any sort of configuration in an assembly can be read using a hex editor.
It’s been answered on here before.
Encrypting Connection String in web.config
You’d be better off using a trusted connection if you’re using SQL Server. The user running the app would need to have permissions and no username and password is required.
Save connection string is settings of project properties.
Go in project properties.
Select settings.
Add new setting as connection string and save connection string.
Then you can use it for whole project.
I am very new on c#/Visual Studio and I'm having difficulty on running my test methods. It requires us to connect to a database server resulting of getting always a failed result since we can't connect to the database.
We tried to modify the connection string to include our working credentials so that we can connect to the database server but the app.config file was encrypted.
Please see below screenshot of example encrypted line. How can we modify that?
As I see it I think the connectionstring is encrypted outside the project and pasted here. I am saying this because IMO encrypting just the connection string value and keeping the key in plain text is not possible from within the project. It is possible to encrypt the entire section within a config file.
Check the method which is using this connectionstring. I believe The method might be using some form of decryption. Use that to decrypt the string, change the values as required, encrypt it again and paste it in the above location.
You can also edit your question to include the method which is using the connectionstring so that I can analyse it and give you a better solution.
Hope this helps.
I have a requirement to protect my Web.config file from malicious users accessing our webserver & junior developers in team. I have used RsaProtectedConfigurationProvider to successfully encrypt & decrypt our file. However, decypting the connection string is as easy as accessing it from withing my application, no matter if it is encrypted or not
protected void btnShowConnectionString_Click(object sender, EventArgs e)
{
lblMessage.Text = WebConfigurationManager.ConnectionStrings["MyTestConnection"].ConnectionString;
}
How do I secure my connection string to avoid work arounds like these?
You cannot do this with standard solutions.
To do such protection you should write your own wrapper around standard library using this connection string, that will decrypt connection string from webconfig.
And you should protect your wrapper from decompiling with something like Sentinel Hasp. If you don't protect your wrapper it will be simple to get encryption algorithm and decrypt connection string.
But it will be simpler to do not write production connection strings to developers webconfig. Use developer enviroment for developing and write production enviroment connection strings when deploying to production enviroment.
You can read this link about secure string connection, recommended solution by msdn
link : http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
IMHO, the "workaround" you are mentioning isn't really a workaround, rather, it is what it is.
Your application (web or otherwise), must be able to decyrpt the information so that i can actually make the connection. Unless you are using Windows Authentication to your SQL server, user/pwd are always "there"...the nagging question I have is why/how would such code exist in your application (in the first place)?
As noted above in previous answers, separate your development environment from production - perhaps only have production config transforms in production environment.
I am New to the more enhanced features of the C# and .NET coding practices
I have been trying to Find A solution to using a particular method in C# for Winforms, Windows Services And ASP.NET web Applications where you program your connection to SQL and Convert the C# Code file to a dll to be used in your project.
The idea is to Create the Connection and Convert it to a dll so that every time you start a function and need to make a database connection you will just write it where you say
Function ABC
{
//VB Version would be like this as i have seen this
Dim DCDLL as New Dataconn
//Where 'DCDLL' is the DLL file which is being declared as a new dataconnection
//C# Version would be Alon these Lines
SQLConnection DataConn = New SQLConnection(DCDLL)
}
I have only seen the VB Code version of the Call so I am not keen on the C# Method that this would be done
Meanwhile The DLL Holds all the other code like
string ConnectionString =
"Data Source=Datasource; UID=User; PWD=Pass; Persist Security
Info=True; Initial Catalog= Catalog";
Dataconn = new SqlConnection(ConnectionString);
Dataconn.Open();
the purpose of the DLL would be to handle the connection to the database, Open it catch errors if dataconnection is not successfull and close the connection if needed so that you dont have to programatically do this every time. Also it is only responsible for the connection therefore you can use a function to call the connection execute the procedure and whatever else is required.
The idea of using a DLL is just to make the Connection settings to the Database a little more secure, the Connection obviously wont become super secure but it adds more security than having the Code in you code pages etc.
i have spoken to and seen people use this type of method but my research on how to achieve this via google and other sources does not seem to understand what i am searching for.
I am trying to understand that when i code this file how it must be done as to ensure that it handles the database connection correctly without issues and doesnt break.
If anyone can Give me Examples in C# of how to do this it would be appreciated or if you know of any pages that have explained how to achieve this i would be most grateful for your assistance
You should put your connection strings in app.config / web.config, and use c# to get the values...
Get ConnectionString from app.config in c#
You can also encrypt the connection string...
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
I am using Visual Studio 2010 and Microsoft Access 2010 to develop a desktop application using C# programming language.
connection string is:
connectionString="Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=|DataDirectory|\KBank.accdb;Persist Security Info=False"
and i give it the password in the C# code as follows:
public string GetConnectionStringByName()
{
string returnValue = null;
ConnectionStringSettings settings = ConfigurationManager.ConnectionStrings["Info_Bank_Project.Properties.Settings.KBankConnectionString"];
if (settings != null)
returnValue = settings.ConnectionString + ";Jet OLEDB:Database Password=blablabla";
return returnValue;
}
i have used the database in the project in just one simple "Select" query.
so, concerning to the security issue..
can any one decrypt the access database or see the password?
and what is your suggestion to make it hard for any one to see the database data
This is little old thread, My experience on this issue might help someone.
You can create C++ DLL with the strong password located inside it, then call it from C# app to encrypt/Decrypt methods with the data base file name.
No, your data is not safe, since anyone can inspect your code using an MSIL decompiler and retrieve your connection strings from your app. There will be a point at some point in your process where someone has the possibility of seeing that password, whether it's in memory, in reflection, or something else.
If you have data that is in the possession of someone other than you, not on your servers, then you can assume you no longer have control over that data.
Now, with all that said, you can make it harder for them to get to by encrypting the database file and obfuscating your code.
Why not just put the password in your app.config and encrypt the app.config.
See here