All geek questions in one place

How to safely store database username and password in web.config file using Entity Framework

When using the Entity Framework to access a database on a non-local server, how should I specify the username and password parameters in the connection string (which is stored in the web.config file)?

I read in the C # walkthrough (2010 release from John Sharp) to never write them to your application due to potential reverse engineering or if someone gets the source code. Therefore, I would like to know the usual best practices for this.

+6
source share
4 answers

Hard user and password encoding is bad for three reasons:

  • this gives you a false impression of security because when you look at the binary with a text editor you don’t understand anything, but it’s actually a piece of cake to parse the .NET assembly.
  • it makes all software developers know the user and password
  • this means that changing the user / password pair requires a new deployment, which also includes recompiling the application

There is no magic solution to this problem, and security in this case is no worse than the discipline and goodwill of the people responsible for security.

In my company, this happens something like this:

  • Software developers do not have access to the production database, and, of course, they do not know the user and password.
  • software administrators have a username and password and combine the web.config from the development department with their secrets when deploying the application on production machines
  • no other person has access to grocery machines from software administrators.

User and password encryption in web.config can only help you. In the end, you will have to hard-code the encryption key in a clear form in your application and return us to the disassembly problem.

In my opinion, a combination of what is happening in my company and encryption with a clear key and obfuscation will be a very good solution.

General idea:

  • take what i said about the guys from the app administrators.
  • change one little thing: they don’t know a clear username and password, they know an encrypted form
  • only developers have the key to decrypt the encrypted username and password, and they use it at run time
  • the development guys should obfuscate their builds so that no one should try to reverse engineer the binary files, find out a clear key, somehow ask the application administrators what encrypted username and password (while drinking the bear to work), and then put everything together.

This means that someone (perhaps the owner of the company or some other leader) should use the greasemonkey application to encrypt usernames and passwords and provide the resulting ciphers for application administrators.

Don't forget the db administrators who originally provided the owner with an initial pair of credentials. The owner must change the password, and then do everything that I set out.

In conclusion, there are many solutions, some of which are stranger than others. This is not all in tools and code, but also in discipline.

+6
source

You can encrypt sections of your web.config. See This MSDN Walkthrough: http://msdn.microsoft.com/library/dtkwfdky.aspx This is pretty simple to follow.

+2
source

You can try the following code,

 ConnectionStringsSection oSection = Configuration.ServiceConfiguration.GetConnectionStrings(); if(!oSection.SectionInformation.IsLocked && !oSection.SectionInformation.IsProtected) { oSection.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider"); oSection.CurrentConfiguration.Save(); }

EDIT:

you can get more information about Secure Configuration from MSDN Link, http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx

+1
source

You can encrypt a separate section of the web.config file using the method shown in this document: Encryption and decryption settings sections p>

It is transparent to your application code, and the encrypted partition is useless outside the machine into which it was encrypted.

+1
source

Source: https://habr.com/ru/post/953979/

More articles:


All Articles