使用加密的dB连接字符串 [英] Using encrypted dB connection string
本文介绍了使用加密的dB连接字符串的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
嗨:
我的主机不允许我使用可信连接或进行注册设置,
所以我很难找到一种方法隐藏将存储在web.config文件中的连接字符串
。如果我在外部加密字符串,是否可以使用它的加密形式连接到SQL Server?
?如果我在运行时解密回到
字符串以便在连接字符串中使用,我必须提供密钥。
如果我这样做,黑客可以使用密钥来破解加密。我如何处理
这个?我会将密码存储在数据库中,不希望黑客获得
in。
谢谢,
查理
Hi:
My host will not allow me use a trusted connection or make registry setting,
so I''m stuck trying find a way to hide connection string which will be
stored in web.config file. If I encrypt string externally, can it be used
in it''s encrypted form to connect to SQL Server? If I decrypt back to
string for use in connection string during runtime, I have to supply a key.
If I do that, hacker could use key to break encryption. How do I handle
this? I''ll be storing passwords in database and don''t want a hacker to get
in.
Thanks,
Charlie
推荐答案
查理,
如果您仅使用密码进行用户身份验证,不要使用加密,
使用哈希(用盐)代替。如果你需要使用加密,在你的特定情况(你有限制访问的b / b
访问的Web托管环境)中,你可以做的最好的事情是使用像CipherLite这样的工具.NET(参见
http://www.obviex.com/cipherlite/ )。您需要在代码中嵌入密码
(以生成加密密钥),因此如果黑客获得了您的
程序集,则可以轻松检索此密码短语,除非你使用一个好的商业混淆器来混淆
汇编(甚至这不会是
保证安全性)。不幸的是,你没有很多选择。如果您发现
更好的方法,请在此处发布;可能还有其他读者在
相同的情况。
Alek
" Charlie @ CBFC" < CH ***** @ comcast.net>在消息中写道
新闻:O8 ************** @ TK2MSFTNGP11.phx.gbl ...
Charlie,
If you use passwords for user authentication only, do not use encryption,
use hashing (with salt) instead. If you need to use encryption, in your
particular scenario (Web hosting environment to which you have limited
access), the best you can do is use a tool like CipherLite.NET (see
http://www.obviex.com/cipherlite/). You will need to embed the passphrase
(to generate encryption key) in your code, so if a hacker gets hold of your
assembly, this passphrase can be easily retrieved unless you obfuscate the
assembly using a good commercial obfuscator (and even this will not
guarantee security). Unfortunately, you don''t have many options. If you find
a better approach, please post it here; there may be other readers in the
same situation.
Alek
"Charlie@CBFC" <ch*****@comcast.net> wrote in message
news:O8**************@TK2MSFTNGP11.phx.gbl...
嗨:
我的主机不允许我使用可信连接或设置注册表
设置,所以我试图找到一种方法来隐藏将存储在web.config中的连接字符串文件。如果我在外部加密字符串,是否可以以加密形式使用
连接到SQL Server?如果我在运行时解密回
字符串以便在连接字符串中使用,我必须提供
键。如果我这样做,黑客可以使用密钥来破解加密。我该如何处理呢?我会将密码存储在数据库中,不希望黑客以
的价格进入。
谢谢,
查理
Hi:
My host will not allow me use a trusted connection or make registry setting, so I''m stuck trying find a way to hide connection string which will be
stored in web.config file. If I encrypt string externally, can it be used
in it''s encrypted form to connect to SQL Server? If I decrypt back to
string for use in connection string during runtime, I have to supply a key. If I do that, hacker could use key to break encryption. How do I handle
this? I''ll be storing passwords in database and don''t want a hacker to get in.
Thanks,
Charlie
请参阅以下文章:
http://msdn.microsoft.com/library/de...SecNetHT07.asp 。
这描述了使用DPAPI库和机器密钥(或用户
密钥,但为了您的目的坚持使用机器密钥)来加密和解密
连接字符串之类的东西。因为密钥是由DPAPI
库知道的,所以你不需要提供它(甚至不知道它)。
你可以很容易地按照文章,编译库。我还写了一个VB.NET" wrapper"
如果你感兴趣的话,这简化了这个库的使用(但是
仍需要它)。然后你需要使用一个
的ASP.NET页面(如果你愿意的话我也写过),你将暂时在你的网站上安装
- 这里使用的加密技术依赖于你运行的实际机器的
机器密钥,所以你不能用Windows应用程序做这个
,尽管你也可以使用网络服务。
然后你可以加密连接字符串,并将其放入配置文件,
然后解密它运行。然后,如果您使用的是一个ASP.NET页面,它/ b $ b知道如何使用DPAPI进行加密/解密,那么您应该将其从您的网站中移除
网站,因为任何人可以找到他们的方式可以使用解密
设施!!
唯一需要注意的是,如果您的托管服务取代了机器,那么<运行的
并且没有维护机器密钥,你必须重新执行上面的
加密步骤。
Alek Davis < alek_xDOTx_davis_xATx_intel_xDOTx_com>在留言中写道
news:ei ************* @ TK2MSFTNGP09.phx.gbl ...
See the following article:
http://msdn.microsoft.com/library/de...SecNetHT07.asp.
This describes the use of the DPAPI library and the machine key (or user
key, but for your purpose stick to the machine key) to encrypt and decrypt
things like the connection string. Because the key is known by the DPAPI
library, you don''t need to provide it (or even know it).
You can pretty easily follow the article, and compile the library. I''ve also
written a VB.NET "wrapper" which simplifies the use of this library (but
still requires it) if you''re interested. You will then need to use an
ASP.NET page (I''ve also written that if you like) which you will temporarily
install on your web site - the encryption technique used here relies on the
machine key for the actual machine on which you are running, so you can''t do
this with a Windows app, although you could also do it with a web service.
You can then encrypt the connection string, and put it into the config file,
and then decrypt it at runtime. Then, if you''re using an ASP.NET page which
knows how to encrypt/decrypt using DPAPI, you should remove it from your web
site since anyone who could find their way to it could use the decryption
facility!!
The only caveat is that if your hosting service replaces the machine you''re
running on and doesn''t maintain the machine key, you''ll have to re-do the
encryption steps above.
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:ei*************@TK2MSFTNGP09.phx.gbl...
查理,
如果您仅使用密码进行用户身份验证,请不要使用加密,而是使用散列(使用salt)。如果您需要使用加密,在您特定的场景(您有限制访问的Web托管环境)中,您可以做的最好的事情就是使用像CipherLite.NET这样的工具(参见
http://www.obviex.com/cipherlite/) 。您需要在代码中嵌入密码短语(以生成加密密钥),因此如果黑客获得您的程序集
,则可以轻松检索此密码短语,除非您对组件进行模糊处理使用一个好的商业混淆器(甚至这不会保证安全)。不幸的是,你没有很多选择。如果您
找到更好的方法,请在此处发布;在相同的情况下可能还有其他读者。
Alek
Charlie @ CBFC < CH ***** @ comcast.net>在消息中写道
新闻:O8 ************** @ TK2MSFTNGP11.phx.gbl ...
Charlie,
If you use passwords for user authentication only, do not use encryption,
use hashing (with salt) instead. If you need to use encryption, in your
particular scenario (Web hosting environment to which you have limited
access), the best you can do is use a tool like CipherLite.NET (see
http://www.obviex.com/cipherlite/). You will need to embed the passphrase
(to generate encryption key) in your code, so if a hacker gets hold of your assembly, this passphrase can be easily retrieved unless you obfuscate the
assembly using a good commercial obfuscator (and even this will not
guarantee security). Unfortunately, you don''t have many options. If you find a better approach, please post it here; there may be other readers in the
same situation.
Alek
"Charlie@CBFC" <ch*****@comcast.net> wrote in message
news:O8**************@TK2MSFTNGP11.phx.gbl...
嗨:
我的主机不允许我使用可信连接或进行注册
Hi:
My host will not allow me use a trusted connection or make registry
设置,
所以我试图找到隐藏连接字符串的方法,这将是
存储在web.config文件中。如果我在外部加密字符串,是否可以使用加密形式连接到SQL Server的
?如果我在运行时解密回
字符串以便在连接字符串中使用,我必须提供
so I''m stuck trying find a way to hide connection string which will be
stored in web.config file. If I encrypt string externally, can it be used in it''s encrypted form to connect to SQL Server? If I decrypt back to
string for use in connection string during runtime, I have to supply a
键。
如果我这样做,黑客可以使用密钥打破加密。我该如何处理呢?我将密码存储在数据库中,不希望黑客
If I do that, hacker could use key to break encryption. How do I handle
this? I''ll be storing passwords in database and don''t want a hacker to
获取
。
谢谢,查理
我想知道你是否有某种程度的信任度。
例如 - 使用Salt与2路加密。
使用Salt一次性验证密码并使用
代重置忘记的密码
使用双向加密和解密并通过电子邮件发送忘记的密码
如果黑客窃取您的代码并希望获得信息,他将
只需要
a)窃取Generation Key并使用它来生成密钥并更改
每个人的密码
b)窃取Pass密码并创建一些代码以获取通行证。
Exzact与Exact相同的结果相同的工作量。
如果你不牛逼相信自己的虚拟主机与A"数据库连接字符串"并且
将在每次连接到它时加密和解密
连接字符串。
如何在需要检索的信息中添加盐。
盐是单向的。单向加密如何对你需要的东西有用
使用。
我甚至不会降低性能如果
,每当人们想要连接数据库时,就会开始忙于使用双向加密。如果一个人没有得到很多
命中,也许不是问题。
Rick Spiewak < RI ********* @ mindspring.com>在消息中写道
news:uQ ************* @ tk2msftngp13.phx.gbl ...
I wonder if there is some level at which you have to place a level of trust.
For example - taking the Salt versus 2 way encryption.
Using Salt to one time your passwords for authenticaiton and using a
generation to reset forgotten passwords
Using 2-way to Encrypt and Decrypt and email forgotten passwords
If a Hacker were to steal your code and wanted the information he would
simply either
a) Steal the Generation Key and use that to generate keys and change
everybody''s password
b) Steal the Pass phrase and create some code to grab the passes.
Exzact Same amount of work with the Exact same results.
If you don''t trust your own webhost with a "database connection string" and
are going to go throught he process of encrypting and decrypting the
connection string every single time you are going to connect to it.
And how do you add salt to information that you need to retrieve.
Salt is 1-way. How is a 1-way encryption useful for Something you need to
use.
And I won''t even go down the performance hit one would possibly take if
one''s site began getting busy using 2-way encryption every time one wanted
to connect to the database. Maybe not an issue if one is not getting alot of
hits.
"Rick Spiewak" <ri*********@mindspring.com> wrote in message
news:uQ*************@tk2msftngp13.phx.gbl...
请参阅以下文章:
http://msdn.microsoft.com/library/de...SecNetHT07.asp 。
这描述了使用DPAPI库和机器密钥(或用户
键) ,但为了您的目的坚持机器密钥)加密和解密连接字符串之类的东西。因为密钥是由DPAPI库知道的,所以你不需要提供它(甚至不知道它)。
你可以很容易地按照文章,编译库。我还写了一篇VB.NET包装器。如果你感兴趣的话,这简化了这个库的使用(但是
仍然需要它)。然后,您将需要使用
ASP.NET页面(我已经写过,如果您愿意的话),您将在您的网站上临时安装 - 这里使用的加密技术依赖于您运行的实际机器的机器密钥,所以你不能用Windows应用程序来做这个,尽管你也可以这样做使用Web服务。
然后,您可以加密连接字符串,并将其放入配置
文件,然后在运行时解密。然后,如果你正在使用一个知道如何使用DPAPI加密/解密的ASP.NET页面
,你应该从你的网页
网站删除它,因为任何人可以找到他们的方式可以使用解密
设施!!
唯一需要注意的是,如果您的托管服务取代机器
您正在运行在没有维护机器钥匙的情况下,你必须重新执行上面的
加密步骤。
Alek Davis < alek_xDOTx_davis_xATx_intel_xDOTx_com>在消息中写道
新闻:ei ************* @ TK2MSFTNGP09.phx.gbl ...
See the following article:
http://msdn.microsoft.com/library/de...SecNetHT07.asp.
This describes the use of the DPAPI library and the machine key (or user
key, but for your purpose stick to the machine key) to encrypt and decrypt
things like the connection string. Because the key is known by the DPAPI
library, you don''t need to provide it (or even know it).
You can pretty easily follow the article, and compile the library. I''ve
also
written a VB.NET "wrapper" which simplifies the use of this library (but
still requires it) if you''re interested. You will then need to use an
ASP.NET page (I''ve also written that if you like) which you will
temporarily
install on your web site - the encryption technique used here relies on
the
machine key for the actual machine on which you are running, so you can''t
do
this with a Windows app, although you could also do it with a web service.
You can then encrypt the connection string, and put it into the config
file,
and then decrypt it at runtime. Then, if you''re using an ASP.NET page
which
knows how to encrypt/decrypt using DPAPI, you should remove it from your
web
site since anyone who could find their way to it could use the decryption
facility!!
The only caveat is that if your hosting service replaces the machine
you''re
running on and doesn''t maintain the machine key, you''ll have to re-do the
encryption steps above.
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:ei*************@TK2MSFTNGP09.phx.gbl...
查理,
如果仅使用密码进行用户身份验证,请不要使用加密,而是使用散列(使用salt)。如果您需要使用加密,在您特定的场景(您有限制访问的Web托管环境)中,您可以做的最好的事情就是使用像CipherLite.NET这样的工具(参见
http://www.obviex.com/cipherlite/) 。您需要在代码中嵌入密码(以生成加密密钥),因此如果黑客获取
Charlie,
If you use passwords for user authentication only, do not use encryption,
use hashing (with salt) instead. If you need to use encryption, in your
particular scenario (Web hosting environment to which you have limited
access), the best you can do is use a tool like CipherLite.NET (see
http://www.obviex.com/cipherlite/). You will need to embed the passphrase
(to generate encryption key) in your code, so if a hacker gets hold of
您的
程序集,则此密码可以除非你使用一个好的商业混淆器来混淆
组件,否则很容易被检索到(即使这样也不能保证安全)。不幸的是,你没有很多选择。如果您
assembly, this passphrase can be easily retrieved unless you obfuscate
the
assembly using a good commercial obfuscator (and even this will not
guarantee security). Unfortunately, you don''t have many options. If you
找到
更好的方法,请在此处发布;在相同的情况下可能还有其他读者。
Alek
Charlie @ CBFC < CH ***** @ comcast.net>在消息中写道
新闻:O8 ************** @ TK2MSFTNGP11.phx.gbl ...
a better approach, please post it here; there may be other readers in the
same situation.
Alek
"Charlie@CBFC" <ch*****@comcast.net> wrote in message
news:O8**************@TK2MSFTNGP11.phx.gbl...
>嗨:
>
>我的主机不允许我使用可信连接或进行注册
> Hi:
>
> My host will not allow me use a trusted connection or make registry
设置,
>所以我试图找到隐藏连接字符串的方法,这将是
>存储在web.config文件中。如果我在外部加密字符串,可以使用>在它的加密形式连接到SQL Server?如果我解密回
>在运行期间用于连接字符串的字符串,我必须提供
> so I''m stuck trying find a way to hide connection string which will be
> stored in web.config file. If I encrypt string externally, can it be used > in it''s encrypted form to connect to SQL Server? If I decrypt back to
> string for use in connection string during runtime, I have to supply a
键。
>如果我这样做,黑客可以使用密钥来破解加密。我如何
>处理
>这个?我将密码存储在数据库中,不希望黑客
> If I do that, hacker could use key to break encryption. How do I
> handle
> this? I''ll be storing passwords in database and don''t want a hacker to
获取
> in。
>
>谢谢,
>查理
>
>
>
> in.
>
> Thanks,
> Charlie
>
>
>
这篇关于使用加密的dB连接字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
