Post
Ask Question

C# – Website security – Hide Connection strings from code

Your application probably needs to communicate with a database of some kind. Naturally, that database isn’t open to the world – it needs to be protected and secured. The typical solution to this is to create a username and password combination (ideally, specific to each application or user that requires access) and configure the application with these credentials. In many cases, they’re simply stored in configuration, such as the section of web.config for an ASP.NET application. By default, such settings are stored in plaintext, and are checked into source control, which can have disastrous consequences (note: if you use GitHub and accidentally expose a secret publicly, you need to change it. Just deleting it isn’t enough). There are many different kinds of secrets an application might require, from database connection strings to API keys. 

Including connection strings in the code is not a very good practice as your code can be de-compiled and it will be more prone to hijacking the website as well as database server.

To protect this, a good practice would be to encrypt the connection string and decrypt it while accessing the connection string in the code. 

Use below code to encrypt and decrypt connection strings using key and hash. 

  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.IO;  
  4. using System.Linq;  
  5. using System.Security.Cryptography;  
  6. using System.Text;  
  7. using System.Threading.Tasks;  
  8.    
  9. namespace EncodingDecodingMain  
  10. {  
  11.     public static class EncDec  
  12.     {  
  13.         public static string Encrypt(string toEncrypt, string SecurityKey ,bool useHashing)  
  14.         {  
  15.             byte[] keyArray;  
  16.             byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);  
  17.    
  18.             string key = SecurityKey;  
  19.    
  20.             //If hashing use get hashcode regards to your key  
  21.             if (useHashing)  
  22.             {  
  23.                 MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();  
  24.                 keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));  
  25.                 //Always release the resources and flush data  
  26.                 // of the Cryptographic service provide. Best Practice  
  27.    
  28.                 hashmd5.Clear();  
  29.             }  
  30.             else  
  31.                 keyArray = UTF8Encoding.UTF8.GetBytes(key);  
  32.    
  33.             TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();  
  34.             //set the secret key for the tripleDES algorithm  
  35.             tdes.Key = keyArray;  
  36.             //mode of operation. there are other 4 modes.  
  37.             //We choose ECB(Electronic code Book)  
  38.             tdes.Mode = CipherMode.ECB;  
  39.             //padding mode(if any extra byte added)  
  40.    
  41.             tdes.Padding = PaddingMode.PKCS7;  
  42.    
  43.             ICryptoTransform cTransform = tdes.CreateEncryptor();  
  44.             //transform the specified region of bytes array to resultArray  
  45.             byte[] resultArray =  
  46.               cTransform.TransformFinalBlock(toEncryptArray, 0,  
  47.               toEncryptArray.Length);  
  48.             //Release resources held by TripleDes Encryptor  
  49.             tdes.Clear();  
  50.             //Return the encrypted data into unreadable string format  
  51.             return Convert.ToBase64String(resultArray, 0, resultArray.Length);  
  52.         }  
  53.    
  54.         public static string Decrypt(string cipherString, string SecurityKey, bool useHashing)  
  55.         {  
  56.             byte[] keyArray;  
  57.             //get the byte code of the string  
  58.    
  59.             byte[] toEncryptArray = Convert.FromBase64String(cipherString);  
  60.    
  61.             string key = SecurityKey;  
  62.    
  63.             if (useHashing)  
  64.             {  
  65.                 //if hashing was used get the hash code with regards to your key  
  66.                 MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();  
  67.                 keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));  
  68.                 //release any resource held by the MD5CryptoServiceProvider  
  69.    
  70.                 hashmd5.Clear();  
  71.             }  
  72.             else  
  73.             {  
  74.                 //if hashing was not implemented get the byte code of the key  
  75.                 keyArray = UTF8Encoding.UTF8.GetBytes(key);  
  76.             }  
  77.    
  78.             TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();  
  79.             //set the secret key for the tripleDES algorithm  
  80.             tdes.Key = keyArray;  
  81.             //mode of operation. there are other 4 modes.   
  82.             //We choose ECB(Electronic code Book)  
  83.    
  84.             tdes.Mode = CipherMode.ECB;  
  85.             //padding mode(if any extra byte added)  
  86.             tdes.Padding = PaddingMode.PKCS7;  
  87.    
  88.             ICryptoTransform cTransform = tdes.CreateDecryptor();  
  89.             byte[] resultArray = cTransform.TransformFinalBlock(  
  90.                                  toEncryptArray, 0, toEncryptArray.Length);  
  91.             //Release resources held by TripleDes Encryptor                  
  92.             tdes.Clear();  
  93.             //return the Clear decrypted TEXT  
  94.             return UTF8Encoding.UTF8.GetString(resultArray);  
  95.         }  
  96.    
  97.     }  
  98. }  
Make a separate tool that will encode and decode a string using above code, encode your connection strings and place in the web.config file the encrypted connection strings. This way even if someone views your code, he would not be able to easily reach out to your data source without the secret key which only you have access to.