Securing connection strings and making secure authentication method
Introduction:
In this article we will see that how we can secure our connection string by encrypting it and we will also see how we can make secure login screens.
Saving connection String without Encryption:
Let's see a small example where we store the connection string in the web.config file without encrypting it.
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=localhost;uid=sa;pwd=;database=DBPerson" />
</appSettings>
</configuration>
This is one of the worst ways of storing the connection string. As you can see we can easily see the userid and the password for this database connection and anyone can easily access the database without authentication.
Let's see a little better approach of saving the connection string:
<configuration>
<appSettings>
<add key="DBConnStr"
value="server=(local);Integrated Security=SSPI;database=northwind"/>
</appSettings>
</configuration>
As you see above that the connection string is now saved without displaying the username and the password. This is better than the last connection string but still we can see what database is being used. In this case its northwind database.
Now we will see that how we can encrypt the connection string so hackers are not able to see the important information about the database. We will make a small method that will take the connection string as the parameter and it will return the encrypted connection string. We can place the returned encrypted connection string back in the web.config file. I will also tell you that how you can decrypt the connection string when using in your application.
Encrypting Connection Strings:
Let's see the method which encrypts the connection string.
// This method is used to encrypt the connection string
private string EncryptConnectionString(string connectionString)
{
Byte[] b = System.Text.ASCIIEncoding.ASCII.GetBytes(connectionString);
string encryptedConnectionString = Convert.ToBase64String(b);
return encryptedConnectionString;
}
Explanation of the Code:
1) The method EncryptConnectionString takes in the connectionString and returns the encrypted ConnectionString
2) In this case we have used the ASCIIEncoding which gets the bytes representation of the connection string and store it in an array.
3) Finally, we encrypt the connection string using the ToBase64String method of the Convert class and the connection string is returned to the caller.
If you print out the connection string you will find something like this:
ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F0YWx
Once you got the encrypted connection string you can copy and paste it in the web.config file.
<appSettings>
<add key="ConnectionString"
value="ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F"/>
</appSettings>
As you can see now the connection string has been encrypted and saved in the web.config file. You can no longer read the connection string by just looking at the encrypted string.
Lets see that how we can decrypt the connection string so that we can use it in our applications.
// This method is used to decrypt the connection string
private string DecryptConnectionString()
{
Byte[] b = Convert.FromBase64String(ConfigurationSettings.AppSettings["ConnectionString"]);
string decryptedConnectionString = System.Text.ASCIIEncoding.ASCII.GetString(b);
return decryptedConnectionString;
}
Explanation of the Code:
1) First we get the byte representation of the connection string. You can see that we are retrieving the encrypted connection string from the web.config file.
2) Later we decrypt the connection string using the same method that we first used to encrypt it. And finally we returned the decrypted connection string to the caller.
There are many more complex algorithms that you can use to encrypt and decrypted the connection strings. But this is surely one of the most simple encryption and decryption algorithms.
Making secure authentication:
Let's now talk about making a secure authentication. First let's see what we mean by bad authentication. For this purpose we will make a simple login page which consists of username and the password. Your user interface will look something like this:
As, you can see this is a simple login page with two textboxes, two labels and a login button. Lets see some bad login code:
// This is the login button click code
private void Button1_Click(object sender, System.EventArgs e)
{
if(txtUserName.Text == "vikram" && txtPassword.Text == "takkar")
{
// print the message welcome to the website.
}
else
{
// print the message. you are not authorized to visit this website
}
}
This is the absolute worst login code. The developer has hardcode the username and the password in the presentation layer file. This not only gives the direct interaction of the user to the business logic but this code is also very hard to maintain. Suppose, in 2 weeks some new users have registered for this website. Now you have to go back to the file and edit the if-else checks. If you have 100 users you will have 100 if-else checks which is the worst scenario.
Let's see a some important points to make a better login page:
1) You must validate the input of the user. If the fields are necessary it should be check at the interface level using the required field validator web controls provided by the Microsoft.net framework.
2) If you are checking authentication of the users its always a good idea to store the users in the database rather than hard code it in the file.
3) Always check for the SQL Injections. Users can put anything in the textbox that can make your application crash. All the dangerous user input much be catch.
4) Never and never give the user ability to directly communicate with the business logic. Also always store the business logic in a separate class files.
5) If you are planning to use the Login control on each and every page of you application it's a better idea to make the login control as a User Control in this way you can easily modify it without having to go to all the pages.
6) Finally, don't give too much information to the user. What I mean to say is that if the users enters the wrong password don't tell him that the password is 6 digits long and its your favorite pet name. Always give the message which is to the point like "Invalid password".
Enjoy Programming !
"Quitters never Win and Winners never Quit"
|
| Author: Murugan.N 07 Apr 2007 | Member Level: Bronze Points : 0 |
Very Helpful for me.keep it up
|
| Author: Trent 09 Jan 2008 | Member Level: Bronze Points : 0 |
The principles of this article are sound, but the recommendation of "encryption" method is absolutely terrible and should never be followed by anyone.
In short, Convert.ToBase64String is NOT an encryption method, it is an **encoding** method. Any serious attacker would see that string, see it as Base64, and use the appropriate .NET decoding method. If you want to protect your website from casual glances, use this, otherwise find a encryption method. (Don't forget to think really hard about where to put your encryption keys, since if they're easily discoverable by an attacker, your encryption is useless)
Please refer to the specification for Convert.ToBase64String():
http://msdn2.microsoft.com/en-us/library/system.convert.tobase64string.aspx
|