Click here to Skip to main content
15,860,972 members
Articles / Programming Languages / Visual Basic
Article

Securing ADO.NET Connection Strings

Rate me:
Please Sign up or sign in to vote.
2.67/5 (11 votes)
25 Aug 20063 min read 51.1K   1.1K   29   5
Some possible ways to encrypt and store connection strings in an ADO.NET application.

Sample Image

Introduction

Part of securing an ADO.NET application involves ensuring that highly sensitive information (such as the user name, password, connection string, and encryption keys) is not stored in a readable or easily decodable format. Storing sensitive information in a non-readable format improves the security of applications by making it difficult for an attacker to gain access to the sensitive information, even if an attacker gains access to the storage location.

This article describes some possible ways of how to encrypt and store the connection string in an ADO.NET application:

  1. The connection string is stored in the encrypted connectionStrings configuration section of the app.config file.
  2. The encrypted connection string is stored in a separate XML file.
  3. The encrypted connection string is stored in the Windows registry.

The Program

To encrypt and store connection strings, you must enter values for its parameters in a property grid, select the encrypting-storing method by checking the appropriate radio button, and click the Encrypt-Store button. By means of the GetConnectionString function, the connection string will be constructed, then it will be encrypted and stored in the corresponding storage location (as an example, we have considered a SQL connection string; of course, you can change the connection string parameters displayed in the property grid as well as the connection string type (depending on your database type) by making the appropriate changes in the DataBaseParametrs class and using the corresponding ConnectionStringBuilder class). If you reset the property grid (using the "Reset PropertyGrid" button) and then click the Retrieve-Decrypt button, the program retrieves the stored connection string from the storage location, decrypts it, and displays the corresponding parameter values in the property grid.

In the first and second cases, the connection string is stored in an XML document. So, we use the classes in the System.Security.Cryptography.Xml namespace to encrypt and decrypt the connection string element within the XML document. The Encrypt_Decrypt class encrypts an XML element using two keys. It generates an RSA public/private key pair, and saves the key pair to a secure key container “MyKeyConteiner”. Then, it creates a separate session key using the Advanced Encryption Standard (AES) algorithm, also called the Rijndael algorithm. Encrypt_Decrypt uses the AES session key to encrypt the XML document, and then uses the RSA public key to encrypt the AES session key. Finally, it saves the encrypted AES session key and the encrypted XML data to the XML document within a new <EncryptedData> element.

To decrypt the XML element, we retrieve the RSA private key from the key container, use it to decrypt the session key, and then use the session key to decrypt the document.

In the third case, we use a Triple DES encryption method by Tony Selke (found here) to encrypt and decrypt the connection string.

Using the code

Select the encrypting-storing method of your choice. If it is the first one, then use the EncryptSaveInConfig and RetrieveDecryptFromConfig procedures from the program source which you can download from above. In the second case, you must use the EncryptSaveInXML and RetrieveDecryptFromXML procedures, while in the last case, the EncryptSaveInRegistry and RetrieveDecryptFromRegistry procedures. Don’t forget to change Private ReadOnly key() and Private ReadOnly iv() in the DES region (for full security), and also determine your own ProgramName parameter in this case.

Notes

I tested this project under VS.NET 2005 and Windows XP SP2.

Contact me

You can contact me by email: levmid@hotmail.com or levmid@yahoo.com.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
Georgia Georgia
Lecturer in Gori University (Georgia)

Comments and Discussions

 
NewsTwo other related encryption articles in CodeProject ... Pin
Tony Selke27-Sep-07 6:57
Tony Selke27-Sep-07 6:57 
GeneralOther ways to do this: Pin
robrich25-Aug-06 6:41
robrich25-Aug-06 6:41 
GeneralNothing new here Pin
Not Active25-Aug-06 6:11
mentorNot Active25-Aug-06 6:11 
There is nothing new here. You have just reformated text and samples that are available elsewhere and have been covered in depth.


only two letters away from being an asset

GeneralNice but... [modified] Pin
Steve Maier25-Aug-06 5:12
professionalSteve Maier25-Aug-06 5:12 
GeneralRe: Nice but... Pin
slybitz30-Nov-07 7:49
slybitz30-Nov-07 7:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.