Security in windows forms apps

[Guest]

I have tried multiple methods of encrypting the connection string. Everyone
has made it sound easy.

I have encrypted the connection string in the app.config file, code behind,
etc.

Basically try this test.

Create a new app and just add a connection string. Add whatever encryption
that you would like to use. Build the app. Go to the app's bin directory and
rename the exe to .txt. So it will now be app.txt. Open up in notepad, go
to the bottom of the file. You will see your connection string in text all
nice an pretty.

Not secure. Same thing works in vb6.

 

[Guest]

The quick solution to this problem is use a Obfusicator. Visual Studio 2003,
2005 come with a lite version.

Now I am going to spend a little time in regards to cracking the Obfuscator
and see if it will work.

 

[Noah Sham]

T3Logic,

You need to ensure that your not setting these values at design time. If
you have set the connection string at design time in the IDE then those
strings will be in the compiled application.

 

[Guest]

I did it both ways,


Design and programically.

From the looks of things if you dont use an obfusicator all litteral strings
are printed out in the exe.

SqlConnection con = new
SqlConnection(Properties.Settings.Default.MyConnectionString.ToString());

This is how I did it programmically in the app:

SqlConnection con = new SqlConnection("Data Source=MySQLDatabase;Initial
Catalog=TestDatabase;Persist Security Info=True;User
ID='myTestUser';Password=u2IC(~8xE%>82qP7J#");

It printed out my sql connection....

For all I know I might have a setting turned off or not on in vs2005 I will
keep checking but fusicator seems the only thing that encrypts it.

On another note since this is an internal app I am not too worried about it
but if I ever decide to distribute a database app its going to use web
services....

 

[rossum]

I have tried multiple methods of encrypting the connection string. Everyone
has made it sound easy.

I have encrypted the connection string in the app.config file, code behind,
etc.

Basically try this test.

Create a new app and just add a connection string. Add whatever encryption
that you would like to use. Build the app. Go to the app's bin directory and
rename the exe to .txt. So it will now be app.txt. Open up in notepad, go
to the bottom of the file. You will see your connection string in text all
nice an pretty.

Not secure. Same thing works in vb6.

One answer is not to put the plaintext of your connection string into
your source, put an encrypted version into the source, and decrypt it
when you need it at runtime. Because you are only decrypting at
runtime, the decrypted text will not appear in the .exe file.

e.g:

string cypherPasssword = "not this";

string Decrypt(string cyphertext) {
byte[] key = {0x1D, 0x1E, 0x01, 0x49,
0x06, 0x1A, 0x0C, 0x1E };
byte[] bytes = Encoding.UTF8.GetBytes(cyphertext);
for (int i = 0; i < cyphertext.Length; ++i) {
bytes ^= key;
}
return Encoding.UTF8.GetString(bytes);
}

void Main() {
Console.Writeline("The secret password is: {0}",
Decrypt(cypherPassword));
}

Using an XOR encryption, as I have done here, allows you to pick a
deceptive string for the cyphertext if you want to.

Obfuscation will not hide the sourcecode key from anything more than a
casual examination. Depending on how secure you want it to be you
could put the decryption key in a database or in a separate file so it
does not form part of the source code at all. How much security you
want depends on if you are trying to hide things from Aunt Edna or
from Nasty Megacorp Inc, with lots of money and people to throw at it.

rossum