Reputation: 806
WinFormsApp Login passes information to .php (server based) Login (provided credentials are correct) to DB to retrieve Decryption Key. WinFormsApp then uses Decryption key on Hardcoded encrypted connection string and renders application usable.
This would then eliminate the necessity to encrypt/decrypt a connection string at runtime, virtually rendering any unauthorized person with a useless software.
Is there anything wrong in my thought process?
Upvotes: 0
Views: 51
Reputation: 43743
If the decryption key is being sent in plain text back to the WinForms application, then that's technically a security hole. But since you can only get it if you successfully authenticate, it's mitigated somewhat. To raise the security bar a little higher, you could encrypt the decryption key using a hardcoded encryption key on both ends. That's not totally fool proof, but sometimes security isn't about being 100% fool proof, it's just raising the bar high enough. It depends on how secure it needs to be. A more thoroughly secure design would be to have the server side do all the data access so the client doesn't need the connection string, but that I'm sure would require considerable redesign. Alternatively, you could use integrated security if it is SQL Server.
Upvotes: 1