1

I understand there are a lot of ways of encrypting an SQLConnection string so you can use it inside a VB.NET program to be able to connect to the SQL database without your connection string easily being read by people who disassembler/decompile the .exe itself.

I know this post: encrypt SQL connectionstring c#

talks about two main ways which are: Configuration Secure Section and also Enterprise Library Data Access Application Block

Now I have adapted the Configuration Secure Section where I have my connection string encrypted inside a app.config file which my program can decrypt to get the connection string. I know that this can only be decrypted on the same computer that it was encrypted on, which isn't an issue.

My question though is how are these methods effective? Doesn't someone just have to create a program on that computer that just uses the same practice to decrypt?

Even if I use Hashing and MD5 encryption or stuff like this, the decryption method is still inside my program that can be extracted from a Decompiler/Disassembler.

Is the only way for me to really protect my data is purchase some type of obfuscator and use that on my encryption/decryption code and hope for the best? or anyone know the best way?

What I have done is created a program that requires a username and password to login and then be able to perform SQL queries based off information that exists in the same database. I can't use a website, it has to be done through a .NET program. This program is given out to a lot of my customers across the US. This means I really need some security behind this.

Improve this question
2
  • If the PC can decrypt then it can be hacked. But you can make it hard to hack. Not the question but the more secure approach is to use WFC to communicate with a service and only the service connects to the DB. Commented Sep 5, 2012 at 18:37
  • Can you provide an exam of what you mean by having WFC communicate with a service etc? This way I can at least have a good starting point to research it. Commented Sep 5, 2012 at 18:39

3 Answers 3

Reset to default
2

The truly safe way to do this is to not connect to SQL directly at all...

Create an API/Webservice/Similar on the internet which talks to the database. Your client can then authenticate to the API and make requests.

This gives you a number of advantages:

  • The client never knows the connection string
  • You can guarantee that the code modifying your data is under your control and unmodified
  • You can provide far finer-grained permissions based on users and roles
  • Decompiling/reverse engineering won't reveal anything sensitive as long as you write your code well (Use the built-in authentication mechanisms, don't roll your own)
  • Should you ever need to move SQL server, you don't need to worry about maintaining DNS entries/etc, you can just update the connection string in your API

(Just noticed @Blam mentioned this in comments on the OP).

So, to give more detail...

Take the Business-logic (or equivalent layer) and expose the methods through a webservice. as Blam suggested, WCF is a great place to start. This allows you to enforce the business logic and manage all changes to the database in code.

Have a look here and here for help getting started with WCF

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

There's no real way to avoid not being able to directly connect to SQL. On top of having to connect to SQL, the program also has to be able to connect to an FTP to download and upload files as well. I know that having everything web-based is the way to go, but I have to have it software based. To make it pure web-based to have it automatically upload/download files is no easy task and can take weeks to create. Not to mention, I never found any real way of scanning a persons computer for files to be uploaded without having ActiveX enabled. Which I have no clue how to go about doing all anyways.
continued... I have no idea how to use ActiveX through ASP.NET to download/upload multiple files since having progress bars and everything tied into it has caused me problems in the past.
You wouldn't want to use ActiveX - It's old, only works in limited browsers and still has more security issues than you can shake a stick at. This is a cross-browser compatible one that works with jQuery. It supports multiple files, progress bars and drag-n-drop (on later browsers) but I understand this can be a large architectural change. Of course, if you're uploading a file from the client, you know how big it is and how much you've sent already...
... I would suggest that for future projects, you consider the security implications on day one as doing it later on can force unwarranted compromises. Is the client on the same network (LAN) as the server? Do you have a common authentication mechanism which can be used by both SQL and the client like AD/X500/???
Can't find anything on that jQuery example that says it can be used in ASP.NET. Here's the thing. I can't just have them select the files that need to be uploaded and then manually upload them. It has to be able to automatically upload all files from X directory to X directory listed on the webserver itself.. ahh just seems like a big headache when i gotta get into stuff thats pure web based. I think i just need to look into the WCF? I really would love to just use .NET in general, but apparently need to change to something else.
|
1

Service has been answered but I will try and add some new value.

A WCF Service is typically hosted in IIS but you keep your client in VB.

In VB today you probably use user input to specify a query. Run the query on SQL. Then use the results to build a List of data or business objects.

With WFC you can call methods on the Service. Everything behind MyService is hidden from the user PC.

List<busObs> myBusObjs = MyService.GetBusObj(string userCriteria);

A Developer's Introduction to Windows Communication Foundation 4

This would be called a 3 tier application.

Another benefit is maintenance. You can update the web service layer with out updating the PCs.

Another benefit is protection of your intellectual property. Like I work on an application where where we have some proprietary algorithms that are hidden behind the WCF Service. Since the client is just a UI layer someone could reverse engineer the client but they would not get any of our good stuff.

Improve this answer

3 Comments

Even with WFC being used can't they just use a packet sniffer and get the service connection information and all information passed from the service to the VB Client anyways? so if i tried to pass FTP upload information or anything like that, they could just see it clear as day?
Matt the stated questions is secure the connections string. The SQL connection string is NOT passed. And you can encrypt the communications using HTTPS. If this is a question about FTP upload then I suggest you start another question.
I just figured FTP Upload information and SQL connection string is same difference. I see where you are coming from though. So apparently I just need to read up on how to do WFC type of setup using HTTPS
0

One other solution is to handle all your data access via stored procedures - using the SQL database's built-in security and permissions to limit the users of the application to the data processes they can do in your app and protecting your underlying data.

Effectively, the stored procedures represent a data API for your application - although a full blown web service / API allows you more flexibility in the long term to change your servers, etc.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.