Securing connection strings in ASP .Net by azamsharp

Introduction:

In one of the previous articles we saw that we can use the web.config file to save our connection string. We also talked about the advantages which comes down to easily altering the connection string if it changes in the future. What we did not talked about was encrypting connection string. When we store the connection string in the web.config file it’s stored in a readable form. If anyone can open the web.config file he can read the connection string and security will be jeopardize.
So In this article we will see that how we can secure our connection string by encrypting it and we will also see how we can make secure login screens.

Saving connection String without Encryption:

Let’s see a small example where we store the connection string in the web.config file without encrypting it.

<configuration>
  <appSettings> <add key="ConnectionString" value="server=localhost;uid=sa;pwd=;database=DBPerson" /> </appSettings>
</configuration>

This is one of the worst ways of storing the connection string. As you can see we can easily see the userid and the password for this database connection and anyone can easily access the database without authentication.
Let’s see a little better approach of saving the connection string:

<configuration> 
	<appSettings> <add key="DBConnStr" value="server=(local);Integrated Security=SSPI;database=northwind"/> </appSettings>
</configuration>

As you see above that the connection string is now saved without displaying the username and the password. This is better than the last connection string but still we can see what database is being used. In this case its northwind database.
Now we will see that how we can encrypt the connection string so hackers are not able to see the important information about the database. We will make a small method that will take the connection string as the parameter and it will return the encrypted connection string. We can place the returned encrypted connection string back in the web.config file. I will also tell you that how you can decrypt the connection string when using in your application.
Encrypting Connection Strings:
Let’s see the method which encrypts the connection string.

// This method is used to encrypt the connection string 

Byte[] b = System.Text.ASCIIEncoding.ASCII.GetBytes(connectionString);
private string EncryptConnectionString(string connectionString)
{
	string encryptedConnectionString = Convert.ToBase64String(b);
	return encryptedConnectionString;
}

Explanation of the Code:

1) The method EncryptConnectionString takes in the connectionString and returns the encrypted ConnectionString
2) In this case we have used the ASCIIEncoding which gets the bytes representation of the connection string and store it in an array.
3) Finally, we encrypt the connection string using the ToBase64String method of the Convert class and the connection string is returned to the caller.
If you print out the connection string you will find something like this:
ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F0YWx
Once you got the encrypted connection string you can copy and paste it in the web.config file.

<addkey="ConnectionString"

value="ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F"/>

</appSettings> 

<appSettings>

As you can see now the connection string has been encrypted and saved in the web.config file. You can no longer read the connection string by just looking at the encrypted string.
Lets see that how we can decrypt the connection string so that we can use it in our applications.

// This method is used to decrypt the connection string 

Byte[] b = Convert.FromBase64String(ConfigurationSettings.AppSettings["ConnectionString"]);
private string DecryptConnectionString()
{
	string decryptedConnectionString = System.Text.ASCIIEncoding.ASCII.GetString(b);
	return decryptedConnectionString;
}

Explanation of the Code:

1) First we get the byte representation of the connection string. You can see that we are retrieving the encrypted connection string from the web.config file.
2) Later we decrypt the connection string using the same method that we first used to encrypt it. And finally we returned the decrypted connection string to the caller.
There are many more complex algorithms that you can use to encrypt and decrypted the connection strings. But this is surely one of the most simple encryption and decryption algorithms.

Making secure authentication:

Let’s now talk about making a secure authentication. First let’s see what we mean by bad authentication. For this purpose we will make a simple login page which consists of username and the password. Your user interface will look something like this:


As, you can see this is a simple login page with two textboxes, two labels and a login button. Lets see some bad login code:

// This is the login button click code 

private void Button1_Click(object sender, System.EventArgs e)
{
	if(txtUserName.Text == "john" && txtPassword.Text == "doe")
	{ 
		// print the message welcome to the website. 
	}
	else
	{ 
		// print the message. you are not authorized to visit this website 
	}
}

This is the absolute worst login code. The developer has hardcode the username and the password in the presentation layer file. This not only gives the direct interaction of the user to the business logic but this code is also very hard to maintain. Suppose, in 2 weeks some new users have registered for this website. Now you have to go back to the file and edit the if-else checks. If you have 100 users you will have 100 if-else checks which is the worst scenario.
Let’s see a some important points to make a better login page:
1) You must validate the input of the user. If the fields are necessary it should be check at the interface level using the required field validator web controls provided by the Microsoft.net framework.
2) If you are checking authentication of the users its always a good idea to store the users in the database rather than hard code it in the file.
3) Always check for the SQL Injections. Users can put anything in the textbox that can make your application crash. All the dangerous user input much be catch.
4) Never and never give the user ability to directly communicate with the business logic. Also always store the business logic in a separate class files.
5) If you are planning to use the Login control on each and every page of you application it’s a better idea to make the login control as a User Control in this way you can easily modify it without having to go to all the pages.

6) Finally, don’t give too much information to the user. What I mean to say is that if the users enters the wrong password don’t tell him that the password is 6 digits long and its your favorite pet name. Always give the message which is to the point like “Invalid password”.
I hope you liked the article happy coding !

Attachments:

Project Files: Security_connectionstring_azam.zip

About the Author:

Mohammad Azam is currently completing his bachelors in Computer Science from University of Houston. Mohammad Azam is always seeking freelance projects to work. Currently he is also seeking Summer 2005 Internship. If any one interested you can contact him at azamsharp@gmail.com.

If you have further questions please email Azam at azamsharp@gmail.com