|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Encrypting connection string in app.configIs there anyway to encrypt the connection string using an algorithm which is
FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified hardware store? We know that DPAPI doesn't do that. We also know that RSAENH is certified, but is there a way to use that to encrypt the connection string in the app.config? Any input will be appreciated, Gilgamesh Is string at client side or on server side (i.e. web server)?
-- Show quoteHide quoteWilliam Stacey [MVP] "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message news:OHwdJ8YxGHA.3888@TK2MSFTNGP02.phx.gbl... | Is there anyway to encrypt the connection string using an algorithm which is | FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified | hardware store? We know that DPAPI doesn't do that. We also know that RSAENH | is certified, but is there a way to use that to encrypt the connection | string in the app.config? | | Any input will be appreciated, | Gilgamesh | | In this case there's no web server involved. Everything resides on the same
server. -G Show quoteHide quote "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message news:uEVGiXfxGHA.2400@TK2MSFTNGP06.phx.gbl... > Is string at client side or on server side (i.e. web server)? > > -- > William Stacey [MVP] > > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message > news:OHwdJ8YxGHA.3888@TK2MSFTNGP02.phx.gbl... > | Is there anyway to encrypt the connection string using an algorithm > which > is > | FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified > | hardware store? We know that DPAPI doesn't do that. We also know that > RSAENH > | is certified, but is there a way to use that to encrypt the connection > | string in the app.config? > | > | Any input will be appreciated, > | Gilgamesh > | > | > > Why not use integrated security?
-- Show quoteHide quoteWilliam Stacey [MVP] "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message news:uzNmlegxGHA.2304@TK2MSFTNGP02.phx.gbl... | In this case there's no web server involved. Everything resides on the same | server. | | -G | | | "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message | news:uEVGiXfxGHA.2400@TK2MSFTNGP06.phx.gbl... | > Is string at client side or on server side (i.e. web server)? | > | > -- | > William Stacey [MVP] | > | > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message | > news:OHwdJ8YxGHA.3888@TK2MSFTNGP02.phx.gbl... | > | Is there anyway to encrypt the connection string using an algorithm | > which | > is | > | FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified | > | hardware store? We know that DPAPI doesn't do that. We also know that | > RSAENH | > | is certified, but is there a way to use that to encrypt the connection | > | string in the app.config? | > | | > | Any input will be appreciated, | > | Gilgamesh | > | | > | | > | > | | Becuase it's not secure enough to meet my customer requirements.
Show quoteHide quote "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message news:eXYtXlgxGHA.2264@TK2MSFTNGP02.phx.gbl... > Why not use integrated security? > > -- > William Stacey [MVP] > > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message > news:uzNmlegxGHA.2304@TK2MSFTNGP02.phx.gbl... > | In this case there's no web server involved. Everything resides on the > same > | server. > | > | -G > | > | > | "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message > | news:uEVGiXfxGHA.2400@TK2MSFTNGP06.phx.gbl... > | > Is string at client side or on server side (i.e. web server)? > | > > | > -- > | > William Stacey [MVP] > | > > | > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message > | > news:OHwdJ8YxGHA.3888@TK2MSFTNGP02.phx.gbl... > | > | Is there anyway to encrypt the connection string using an algorithm > | > which > | > is > | > | FIPS 140-2 certified, and then store the key in a FIPS 140-2 > certified > | > | hardware store? We know that DPAPI doesn't do that. We also know > that > | > RSAENH > | > | is certified, but is there a way to use that to encrypt the > connection > | > | string in the app.config? > | > | > | > | Any input will be appreciated, > | > | Gilgamesh > | > | > | > | > | > > | > > | > | > > It is more secure then any encryption you can put on the connection string.
Because you can debug the app after decryption to get around any encryption you place on the clear connection string. With integrated security, one would have to hack the Windows internal security as no clear password will ever reside in the memory of the service because it is already logged on (I presume). -- Show quoteHide quoteWilliam Stacey [MVP] "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message news:uBzOdehxGHA.2304@TK2MSFTNGP02.phx.gbl... | Becuase it's not secure enough to meet my customer requirements. | | "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message | news:eXYtXlgxGHA.2264@TK2MSFTNGP02.phx.gbl... | > Why not use integrated security? | > | > -- | > William Stacey [MVP] | > | > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message | > news:uzNmlegxGHA.2304@TK2MSFTNGP02.phx.gbl... | > | In this case there's no web server involved. Everything resides on the | > same | > | server. | > | | > | -G | > | | > | | > | "William Stacey [MVP]" <william.sta***@gmail.com> wrote in message | > | news:uEVGiXfxGHA.2400@TK2MSFTNGP06.phx.gbl... | > | > Is string at client side or on server side (i.e. web server)? | > | > | > | > -- | > | > William Stacey [MVP] | > | > | > | > "Gilgamesh" <gilgamesh4e***@aol.com> wrote in message | > | > news:OHwdJ8YxGHA.3888@TK2MSFTNGP02.phx.gbl... | > | > | Is there anyway to encrypt the connection string using an algorithm | > | > which | > | > is | > | > | FIPS 140-2 certified, and then store the key in a FIPS 140-2 | > certified | > | > | hardware store? We know that DPAPI doesn't do that. We also know | > that | > | > RSAENH | > | > | is certified, but is there a way to use that to encrypt the | > connection | > | > | string in the app.config? | > | > | | > | > | Any input will be appreciated, | > | > | Gilgamesh | > | > | | > | > | | > | > | > | > | > | | > | | > | > | | 
Other interesting topics
Advice requested : Storing SID String in SQL table
Preferred method of hashing salted password Verify syntax of an URl LDAP Authentication Security Library Classes AzMan Administration on Advanced Server 2000 DPAPI and key store Service runing under Local System account ??? Domain isolation question. SignedXml CheckSignature CryptographicException |
|||||||||||||||||||||||
