Question Security for DB Connection

[iceregent]

Hello. I am almost entirely brand new to VB, and I have a currently running website, which I am trying to write a site specific application for. However, upon consideration of it, and realizing that I need to use my DB connection string somehow, how secure is it to hard code a connection string into an app that would be used by my registered users? What is the best way to connect to my database with the app, firstly, to verify username and pass, and then to utilize my DB info in my tables? I am concerned about security, especially since I have been taking college course in Fundamentals of Network Security. The class hasn't covered how to do such things, of course.

I am sure others have utilized web enabled apps to connect to their online databases. What are the methods used etc? I have a php driven website using MySql as the database. I can write php code and know a fair amount about the query language, but am new to using VB to create apps to run in conjunction with the website. I am wondering if maybe creating a JAVA app would be smarter for security purposes?

Thanks in advance for the help!

Ice

 

[jmcilhinney]

.NET web sites should store there connection strings in the web.config file and then encrypt them if necessary.

Protecting Connection Information (ADO.NET)

 

[picoflop]

@J:
Since he says, that he has a PHP website and MySQL, it's more likely that he means "an app that accesses a database via internet".
I might be wrong though.

If not:
Since username and password is needed to connect to a MySQL database, there are probably only two possible solutions:
- create a mysql user that has limited rights (dropping tables or databases usually is not neccessary for example)
- create a php-wrapper that is called by the app and that only allows certain operations.

 

[jmcilhinney]

@J:
Since he says, that he has a PHP website and MySQL, it's more likely that he means "an app that accesses a database via internet".
I might be wrong though.

You might also be right, but you use pretty much the same method to encrypt WinForms application config files as you do for web config files. The difference is that you do the encryption in code instead of using the aspnet_regiis utility.

[ame=http://www.vbforums.com/showthread.php?t=532768]Protected Configuration (Encrypting Config Files)[/ame]

 

[picoflop]

, but you use pretty much the same method to encrypt WinForms application config files as you do for web config files.Protected Configuration (Encrypting Config Files)

That's probably the part I never understood (encrypting config).

I write an app with data access. I encrypt the config file which contains the key (iirc the "wizard" already offers this).
I give the app to my friend who installs on his machine.
How can he access the encrypted config file?

May be I miss something, but the only way to use the config file, would be to decrypt it. For decrpytion you need a key which the other has to have. So now we are back to the beginning. Somebody else has a password, but I don't want him to have it ...

 

[jmcilhinney]

That's probably the part I never understood (encrypting config).

I write an app with data access. I encrypt the config file which contains the key (iirc the "wizard" already offers this).
I give the app to my friend who installs on his machine.
How can he access the encrypted config file?

May be I miss something, but the only way to use the config file, would be to decrypt it. For decrpytion you need a key which the other has to have. So now we are back to the beginning. Somebody else has a password, but I don't want him to have it ...

You don't decrypt the config file. The data is decrypted on the fly by the Framework. As far as encrypting the file goes, you have two choices:

1. Encrypt it as part of the installation process using a custom action.
2. Use RSA encryption and deploy the key file with the app.

I don't know all the details of option number 2 because I've never done it but I have read about it and you can too if you care to.

 

[picoflop]

I am not a big crypto expert (have some experience, but only scratching the surface), but as far as I know, whenever something needs to be decrpyted, there must be a key.
I the framework "decrypts on the fly" there must be a key somewhere on that machine. How does it get there? If the framework can use it, why nobody else can use it.

Same with RSA: The "trick" with assymetric encryption is just that you have a key for encrypting and another one for decrypting. Doesn't solve the problem that you can not have a secret if someone knows the dec key. Only solves the problem that nobody could fake to be the "encryptor" of something.

Reading this:
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
I get the idea, that encrpyting the config file and deploying the app only works if you deploy inside one domain. But it's something completely different if you deploy to some "far away" machine.

By default, the ASP.NET applications run under the NT AUTHORITY\Network Service account. When you access encrypted configuration sections using DPAPI with the user store, make sure that your application is running with the same user identity as the account you used to encrypt the data.

How can I access with the same identity if I'm on a completely different computer. With different user, passwords, etc. Even if user and password would match, the "unique" id would still be different.

 

[jmcilhinney]

How can I access with the same identity if I'm on a completely different computer.

There seems to be an epidemic of people simply not reading what I'm posting these days. You're NOT encrypting on a different computer. If you're using DPAPI then you're encrypting on the same computer:

Encrypt it as part of the installation process using a custom action.

If you want to encrypt on your development system and deploy the pre-encrypted config file then you use RSA.

 

[picoflop]

You're NOT encrypting on a different computer. If you're using DPAPI then you're encrypting on the same computer:

You can't talk to me, because I never postulated that ENC is needed on the "customer" machine. The workflow (of course) is: ENC on "developer" machine and DEC on customer machine.

deploy the pre-encrypted config file then you use RSA

Let's stick to this scenario, because I dont have problems to understand that you can protect something on "your" computer (or domain, or maybe intranet).
I dont think that we need to mention that "RSA" is not some mystical thingie, but simply an asymmetric crypto algo. As all (reversible) crypto algos, it needs a plaintext key (with plaintext not meaning something that is necessarily human readable) to decrypt something. And now again we are back to step 1. I need to provide a password/key to somebody to share a secret (connectionstring), but the problem is, I want to share it not with the "person" but only with the "app" that this person executes. And this is as far as I can say, more or less impossible. It might help against a peeping Tom, Dick or Harry, but will hardly block Igor - because he knows the algo and has the key.

BTW: All sources from MS that refer to RSA and app.config - which I found - usually refer to deploy scenarios to a web server. In this scenario the web-server itself is a trusted "person".

At he moment when you export your (public) key and give it to a certain user, you make this user a "trusted" one. But the problem (in the first post) is: In the given scenario the user is NOT trusted. He should be allowed to "use" the connection string, but should be prevented from "seeing" it. And that - imo - simply is not possible (in the given scenario of a totally unrelated "customer" machine that runs our app)