[英]How can a database username and password be stored securely in a web.config file when using Entity Framework
When using Entity Framework to access a database on a non-local server how should I be specifying the username and password parameters in the connection string (which is stored in the web.config file)? 使用Entity Framework访问非本地服务器上的数据库时,如何在连接字符串中指定用户名和密码参数(存储在web.config文件中)?
I've read in a C# step by step guide(2010 edition by John Sharp) to never hard code them into your application due to potential reverse engineering or if someone gets hold of the source code. 我已经阅读了C#分步指南(John Sharp 2010版),因为潜在的逆向工程或有人掌握了源代码,所以从不硬编码到您的应用程序中。 So I would like to know the conventional best practice for doing so.
所以我想知道这样做的传统最佳实践。
Hard coding the user and password is bad for 3 reasons: 硬编码用户和密码有三个原因:
There is no magic solution to this problem and security in this case is only as good as the discipline and good will of the people in charge with the security. 这个问题没有神奇的解决方案,在这种情况下,安全性只能与负责安全的人员的纪律和善意一样好。
In my company, it goes something like this: 在我的公司,它是这样的:
web.config
comming from the development department with their own secrets when deploying the application on the production machines web.config
与他们自己的秘密合并 Encrypting the user and password in the web.config
can only help you so much. 加密
web.config
的用户和密码只会对你有所帮助。 Eventually you'll have to hard code the encryption key, in clear form, in your application and that takes us back to the disassembling problem. 最终,您必须在应用程序中以清晰的形式对加密密钥进行硬编码,这会将我们带回到反汇编问题中。
In my opinion, a very good solution would be a combination of what's going on in my company and encryption with a clear key and obfuscation. 在我看来,一个非常好的解决方案是将我公司发生的事情和加密与明确的密钥和混淆相结合。
The general idea is: 一般的想法是:
That means that someone (maybe the owner of the company or some other head) needs to use a "greasemonkey" app to encrypt usernames and passwords and give the resulting encryptions to the application administrators. 这意味着某人(可能是公司的所有者或其他负责人)需要使用“greasemonkey”应用程序来加密用户名和密码,并将结果加密给应用程序管理员。
Don't forget there's also the db administrators which initially gave the owner an initial pair of credentials. 不要忘记还有数据库管理员最初给所有者一个初始的凭证对。 The owner needs to change the password and then do everything I laid out.
所有者需要更改密码,然后完成我布置的所有内容。
In conclusion, there are many solutions, some wackier than others. 总之,有许多解决方案,有些比其他解决方案更狡猾。 It's not all in the tools and code but also in the discipline.
它不仅仅在工具和代码中,而且在学科中。
You can encrypt sections of your web.config. 您可以加密web.config的各个部分。 See this walkthrough on MSDN: http://msdn.microsoft.com/library/dtkwfdky.aspx It's pretty simple to follow.
请参阅MSDN上的演练: http : //msdn.microsoft.com/library/dtkwfdky.aspx这很容易理解。
You can try with following code, 您可以尝试使用以下代码,
ConnectionStringsSection oSection = Configuration.ServiceConfiguration.GetConnectionStrings();
if(!oSection.SectionInformation.IsLocked && !oSection.SectionInformation.IsProtected)
{
oSection.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider");
oSection.CurrentConfiguration.Save();
}
EDIT: 编辑:
you can get more information on Protected configuration from MSDN Link, http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx 您可以从MSDN Link获取有关受保护配置的更多信息, http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx
You can encrypt a particular section of a web.config file easily using the method shown in this document: Encrypting and Decrypting Configuration Sections 您可以使用本文档中显示的方法轻松加密web.config文件的特定部分: 加密和解密配置部分
It is transparent for your application code and the encrypted section is useless outside the machine it was encrypted on. 它对您的应用程序代码是透明的,并且加密的部分在加密的机器外部是无用的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.