If the code is running on the client there is no way to effectively protect the secret. If the application (running in the security context of the user) can decrypt it, a user can too (write a little app or even just use the aspnet_regiis tool).
If you simply wanna "hide" stuff on the client this may be OK - but don't rely on it. Eliminating secrest (like moving to integrated auth) is much better than try to obscure it (which won't work anyway given a skilled and/or motivated attacker). cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Bryan Porter Sent: Montag, 2. Oktober 2006 20:53 To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] SQL connection information - Encryption You could always use the machine encryption key. If the connection info is user-specific, use the user encryption key. For more info, read up on encrypting configuration sections and the Data Protection API on MSDN. I'm assuming you're using .NET 2.0. On Oct 2, 2006, at 1:48 PM, Sebastian Good wrote: > Ah, but where do you store the encryption key? We have a similar > system in our project, have discussed this one a great deal. You've > taken a secret out of your XML file and put it into an encryption key. > Where do you like to hide THAT secret? > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Franklin > Gray > Sent: Monday, October 02, 2006 9:44 AM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] SQL connection information - Encryption > > > We've use a seperate xml file for all system settings that we don't > want in the DB including the UserID, password and datasource. The > whole file is encrypted. What we like about this is all we have to do > is just one change and the whole system is updated. The location of > this file is in the app config. If you want to change the settings > just for one user, we have an app that can generate do that (change > the settings and store them locally, change the app config). I wrote > the xml file loading and decryption years ago and have used it many > many times so I love the reuse I've gotten on my work. Just plug and > play :) > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at http:// > discuss.develop.com > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at http:// > discuss.develop.com =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
