Securing ADO.NET Connection Strings

• Download demo project - 14.9 Kb
• Download source - 17.5 Kb

Introduction

Part of securing an ADO.NET application involves ensuring that highly sensitive information (such as the user name, password, connection string, and encryption keys) is not stored in a readable or easily decodable format. Storing sensitive information in a non-readable format improves the security of applications by making it difficult for an attacker to gain access to the sensitive information, even if an attacker gains access to the storage location.

This article describes some possible ways of how to encrypt and store the connection string in an ADO.NET application:

1. The connection string is stored in the encrypted connectionStrings configuration section of the app.config file.
2. The encrypted connection string is stored in a separate XML file.
3. The encrypted connection string is stored in the Windows registry.

The Program

To encrypt and store connection strings, you must enter values for its parameters in a property grid, select the encrypting-storing method by checking the appropriate radio button, and click the Encrypt-Store button. By means of the GetConnectionString function, the connection string will be constructed, then it will be encrypted and stored in the corresponding storage location (as an example, we have considered a SQL connection string; of course, you can change the connection string parameters displayed in the property grid as well as the connection string type (depending on your database type) by making the appropriate changes in the DataBaseParametrs class and using the corresponding ConnectionStringBuilder class). If you reset the property grid (using the "Reset PropertyGrid" button) and then click the Retrieve-Decrypt button, the program retrieves the stored connection string from the storage location, decrypts it, and displays the corresponding parameter values in the property grid.

In the first and second cases, the connection string is stored in an XML document. So, we use the classes in the System.Security.Cryptography.Xml namespace to encrypt and decrypt the connection string element within the XML document. The Encrypt_Decrypt class encrypts an XML element using two keys. It generates an RSA public/private key pair, and saves the key pair to a secure key container “MyKeyConteiner”. Then, it creates a separate session key using the Advanced Encryption Standard (AES) algorithm, also called the Rijndael algorithm. Encrypt_Decrypt uses the AES session key to encrypt the XML document, and then uses the RSA public key to encrypt the AES session key. Finally, it saves the encrypted AES session key and the encrypted XML data to the XML document within a new <EncryptedData> element.

To decrypt the XML element, we retrieve the RSA private key from the key container, use it to decrypt the session key, and then use the session key to decrypt the document.

In the third case, we use a Triple DES encryption method by Tony Selke (found here) to encrypt and decrypt the connection string.

Using the code

Select the encrypting-storing method of your choice. If it is the first one, then use the EncryptSaveInConfig and RetrieveDecryptFromConfig procedures from the program source which you can download from above. In the second case, you must use the EncryptSaveInXML and RetrieveDecryptFromXML procedures, while in the last case, the EncryptSaveInRegistry and RetrieveDecryptFromRegistry procedures. Don’t forget to change Private ReadOnly key() and Private ReadOnly iv() in the DES region (for full security), and also determine your own ProgramName parameter in this case.

Notes

I tested this project under VS.NET 2005 and Windows XP SP2.

Contact me

You can contact me by email: levmid@hotmail.com or levmid@yahoo.com.