VB.NET - Proper way of Encrypting SQLConnection String

Question

I understand there are a lot of ways of encrypting an SQLConnection string so you can use it inside a VB.NET program to be able to connect to the SQL database without your connection string easily being read by people who disassembler/decompile the .exe itself.

I know this post: encrypt SQL connectionstring c#

talks about two main ways which are: Configuration Secure Section and also Enterprise Library Data Access Application Block

Now I have adapted the Configuration Secure Section where I have my connection string encrypted inside a app.config file which my program can decrypt to get the connection string. I know that this can only be decrypted on the same computer that it was encrypted on, which isn't an issue.

My question though is how are these methods effective? Doesn't someone just have to create a program on that computer that just uses the same practice to decrypt?

Even if I use Hashing and MD5 encryption or stuff like this, the decryption method is still inside my program that can be extracted from a Decompiler/Disassembler.

Is the only way for me to really protect my data is purchase some type of obfuscator and use that on my encryption/decryption code and hope for the best? or anyone know the best way?

---

What I have done is created a program that requires a username and password to login and then be able to perform SQL queries based off information that exists in the same database. I can't use a website, it has to be done through a .NET program. This program is given out to a lot of my customers across the US. This means I really need some security behind this.

Answer 1

Service has been answered but I will try and add some new value.

A WCF Service is typically hosted in IIS but you keep your client in VB.

In VB today you probably use user input to specify a query. Run the query on SQL. Then use the results to build a List of data or business objects.

With WFC you can call methods on the Service. Everything behind MyService is hidden from the user PC.

List<busObs> myBusObjs = MyService.GetBusObj(string userCriteria);

A Developer's Introduction to Windows Communication Foundation 4

This would be called a 3 tier application.

Another benefit is maintenance. You can update the web service layer with out updating the PCs.

Another benefit is protection of your intellectual property. Like I work on an application where where we have some proprietary algorithms that are hidden behind the WCF Service. Since the client is just a UI layer someone could reverse engineer the client but they would not get any of our good stuff.

Answer 2

The truly safe way to do this is to not connect to SQL directly at all...

Create an API/Webservice/Similar on the internet which talks to the database. Your client can then authenticate to the API and make requests.

This gives you a number of advantages:

• The client never knows the connection string
• You can guarantee that the code modifying your data is under your control and unmodified
• You can provide far finer-grained permissions based on users and roles
• Decompiling/reverse engineering won't reveal anything sensitive as long as you write your code well (Use the built-in authentication mechanisms, don't roll your own)
• Should you ever need to move SQL server, you don't need to worry about maintaining DNS entries/etc, you can just update the connection string in your API

(Just noticed @Blam mentioned this in comments on the OP).

So, to give more detail...

Take the Business-logic (or equivalent layer) and expose the methods through a webservice. as Blam suggested, WCF is a great place to start. This allows you to enforce the business logic and manage all changes to the database in code.

Have a look here and here for help getting started with WCF

Answer 3

One other solution is to handle all your data access via stored procedures - using the SQL database's built-in security and permissions to limit the users of the application to the data processes they can do in your app and protecting your underlying data.

Effectively, the stored procedures represent a data API for your application - although a full blown web service / API allows you more flexibility in the long term to change your servers, etc.