2

I'd like to begin a new project and one of the first problems I've figured out is the security of my mysql connection data.

I want to know if it's possible to configure the software to choose a database server; for that reason it's necessary to store the connection informations (user, password, databasename) in some kind of file (xml, bin, ...) but thats not really safe and could be viewed by everyone due to lack of encryption.

Is there an easy way to protect these sensitive informations or do I have to write my own encryption mechanism for that ?

In case that I have to write my own one, is there a guideline to get it right?

vidit
  • 6,293
  • 3
  • 32
  • 50
Alex
  • 1,857
  • 3
  • 36
  • 51
  • 1
    Also, when you say "viewed by everyone", that means everyone with logon access to the box, right? Once folks have logon access to the box, it's hard to secure ... – bryanmac May 14 '13 at 11:38
  • Don't store credentials in applications that are accessible to the user from the desktop. This means they can reverse engineer things to find them out fairly trivially. Instead, place your application behind a point of security that requires them to be logged in. Make it a set of services etc. – Jeff Watkins May 14 '13 at 11:53
  • Start here: http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx – Maarten May 14 '13 at 12:36

2 Answers2

2

Connection strings in an application configuration are a very common scenario. Normally you save those values in a file called app.config or web.config.

Have a look at the MSDN help site.

The section you are looking for is called Encrypting Configuration File Sections Using Protected Configuration

nvoigt
  • 75,013
  • 26
  • 93
  • 142
1

No, you don't need to write your own encryption for it, .NET does already have encryption.

Simply use the Rijndael (AES) - Encryption.

Import the namespace: using System.Security.Cryptography;

Then use the class: Rijndael Class

and take a look at this thread: How to generate Rijndael KEY and IV using a passphrase? to use the encryption properly/safely.

Example:

 private static byte[] EncryptString(byte[] clearText, byte[] Key, byte[] IV)
    {
        MemoryStream ms = new MemoryStream();
        Rijndael alg = Rijndael.Create();
        alg.Key = Key; //Look at the linked Stackoverflow-Thread
        alg.IV = IV; // on how to create Key and IV
        CryptoStream cs = new CryptoStream(ms, alg.CreateEncryptor(), CryptoStreamMode.Write);
        cs.Write(clearText, 0, clearText.Length);
        cs.Close();
        byte[] encryptedData = ms.ToArray();
        return encryptedData;
    }
Community
  • 1
  • 1
jAC
  • 5,195
  • 6
  • 40
  • 55
  • is this a "secure" (i know there is no secure at all) way to store those informations in an open environment ? or still easy to break ? how difficult would it be to break that encryption ? – Alex May 14 '13 at 12:04
  • 1
    AES is a very safe way to store data. Imho it's the state of the art in encryption. Of course the security depends on your password (key), if you use a weak password an attack with a dictionary may break your encryption. I used it in my projects, too. Your WiFi uses it, too. So it can't be bad at all. If you want to understand how AES works, take a look here: http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf A very good and animated explanation. – jAC May 14 '13 at 12:06
  • which password do you mean ? my database password (which is typically 64+ chars wide) or the rijndael key (which is pregiven if i see it right) ? – Alex May 14 '13 at 12:12
  • Your Rijndael password, with which you derive your byte[] (your values). It is not pregiven, you have to create secure one (I used a password generator). I'll upload an example project. – jAC May 14 '13 at 12:17
  • 1
    So here's the example project with random IV/Key based on the password: http://www.abouchleih.com/wp-content/uploads/EncryptDecrypt.zip – jAC May 14 '13 at 12:30