Click here to Skip to main content
15,665,942 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Hello, I am going to encrypt the connection string My DB so
We have almost specific encryption algorithms that do this, such as md5, aes and others

For example, if I encrypt this string containing of SQL Server connection with a key, for example @1234, with the AES algorithm in My c# Cod

In the my software I Should to register or save this key somewhere in my Application to DECOD encrypted string with this key

The main question is this :
If someone gets access to this key, they can easily unlock the encrypted string

I read somewhere that you can add something to the encrypted string with salt

But I didn't understand exactly how salt works, how it protects the encrypted string, and should I store this salt locally or not?

What I have tried:

how to use salt for protected encryption pass
Updated 9-Aug-22 17:51pm
PIEBALDconsult 9-Aug-22 21:49pm    
I see no reason to encrypt the connection string unless it contains a password -- and it should definitely _not_ contain a password.
With SQL Server, use Integrated Security.

There seems to be a bit of confusion.

MD5 is a cryptographic hashing algorithm, not an encryption algorithm. The difference is the result of a hash cannot be decrypted, or "un-hashed", back to the original content. Encryption can be decrypted to return the original content.

Salting is usually only appropriate for hashing operations, not encryption. The reason you salt the data you hash is because duplicate, unsalted data, will return the exact same hash value for each instance. For example, when used to hash passwords, users that the use exact same password will have the exact same hash value in the database, making it easier for an attacker to figure out what the password is. Salting the passwords with different salt data will result is different hash values for the same password, making it appear as though each user has a different password.
Share this answer
Encryption salts are just a mechanism to add some randomness to the encrypted string, it doesn't necessarily protect your password from being decrypted. The reason someone may choose to use a salt is because popular encryption methods (ie. MD5, SHA1) have large hash tables available to download (which is like a map saying "This MD5 string = this password"). If you didn't use a salt as part of the encryption then these hash tables could be used to brute-force a password. Adding the salt simply means that the result of the encryption shouldn't be the same as a value expected in a hash table.

All that being said, I'm going to go out on a limb and say that there's no real way to guarantee that someone won't manage to get the connection string anyway. In C#, it's extremely easy to decode a compiled C# application back to the original code. You can try obfuscating the code, but it's still breachable. Even if you stored some "salt" or "encryption key" somewhere hidden deep down on the computer, somebody would still find it.

If you really want to have your C# application connect to some sort of central database, consider instead building an accompanying web API, and have your C# application talk to the API to do it's operations (that way, you can safely store the database and database connection details on the API server, not exposed to users). You can manage people's permissions more effectively, and you can have finer-grain control over things like how long a user remains logged in, and can immediately grant or revoke function access.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900