Introduction
Part of securing an ADO.NET application involves ensuring that highly sensitive information (such as the user name, password, connection string, and encryption keys) is not stored in a readable or easily decodable format. Storing sensitive information in a non-readable format improves the security of applications by making it difficult for an attacker to gain access to the sensitive information, even if an attacker gains access to the storage location.
This article describes some possible ways of how to encrypt and store the connection string in an ADO.NET application:
- The connection string is stored in the encrypted
connectionStrings
configuration section of the app.config file.
- The encrypted connection string is stored in a separate XML file.
- The encrypted connection string is stored in the Windows registry.
The Program
To encrypt and store connection strings, you must enter values for its parameters in a property grid, select the encrypting-storing method by checking the appropriate radio button, and click the Encrypt-Store button. By means of the GetConnectionString
function, the connection string will be constructed, then it will be encrypted and stored in the corresponding storage location (as an example, we have considered a SQL connection string; of course, you can change the connection string parameters displayed in the property grid as well as the connection string type (depending on your database type) by making the appropriate changes in the DataBaseParametrs
class and using the corresponding ConnectionStringBuilder
class). If you reset the property grid (using the "Reset PropertyGrid" button) and then click the Retrieve-Decrypt button, the program retrieves the stored connection string from the storage location, decrypts it, and displays the corresponding parameter values in the property grid.
In the first and second cases, the connection string is stored in an XML document. So, we use the classes in the System.Security.Cryptography.Xml
namespace to encrypt and decrypt the connection string element within the XML document. The Encrypt_Decrypt
class encrypts an XML element using two keys. It generates an RSA public/private key pair, and saves the key pair to a secure key container “MyKeyConteiner
”. Then, it creates a separate session key using the Advanced Encryption Standard (AES) algorithm, also called the Rijndael algorithm. Encrypt_Decrypt
uses the AES session key to encrypt the XML document, and then uses the RSA public key to encrypt the AES session key. Finally, it saves the encrypted AES session key and the encrypted XML data to the XML document within a new <EncryptedData>
element.
To decrypt the XML element, we retrieve the RSA private key from the key container, use it to decrypt the session key, and then use the session key to decrypt the document.
In the third case, we use a Triple DES encryption method by Tony Selke (found here) to encrypt and decrypt the connection string.
Using the code
Select the encrypting-storing method of your choice. If it is the first one, then use the EncryptSaveInConfig
and RetrieveDecryptFromConfig
procedures from the program source which you can download from above. In the second case, you must use the EncryptSaveInXML
and RetrieveDecryptFromXML
procedures, while in the last case, the EncryptSaveInRegistry
and RetrieveDecryptFromRegistry
procedures. Don’t forget to change Private ReadOnly key()
and Private ReadOnly iv()
in the DES
region (for full security), and also determine your own ProgramName
parameter in this case.
Notes
I tested this project under VS.NET 2005 and Windows XP SP2.
Contact me
You can contact me by email: levmid@hotmail.com or levmid@yahoo.com.