使用Entity Framework时，如何将数据库用户名和密码安全地存储在web.config文件中

Question

When using Entity Framework to access a database on a non-local server how should I be specifying the username and password parameters in the connection string (which is stored in the web.config file)?

I've read in a C# step by step guide(2010 edition by John Sharp) to never hard code them into your application due to potential reverse engineering or if someone gets hold of the source code. So I would like to know the conventional best practice for doing so.

Answer 1

Hard coding the user and password is bad for 3 reasons:

• it gives you a false impression of security, because when you look at a binary file with a text editor you don't understand anything but in fact it's a piece of cake to disassemble a .NET assembly
• it forces all software developers to be allowed to know the user and password
• it implies that a change of the user/password pair requires a new deploy which also include the recompiling of the application

There is no magic solution to this problem and security in this case is only as good as the discipline and good will of the people in charge with the security.

In my company, it goes something like this:

• software developers don't have access to the production database, and most certainly they don't know the user and password
• software administrators have the username and password and they merge the web.config comming from the development department with their own secrets when deploying the application on the production machines
• no other person has access to the production machines appart from the software administrators

Encrypting the user and password in the web.config can only help you so much. Eventually you'll have to hard code the encryption key, in clear form, in your application and that takes us back to the disassembling problem.

In my opinion, a very good solution would be a combination of what's going on in my company and encryption with a clear key and obfuscation.

The general idea is:

• take what I said about the application administrator guys
• modify one minor detail: they don't know the clear username and password, they know an encrypted form
• only the dev guys have the key to decrypt the encrypted username and password and they use that at runtime
• the dev guys should obfuscate their assemblies so that it's not worth it for anyone to try to reverse engineer the binaries, find out the clear key, somehow ask the application administrators what the encrypted username and password is (while drinking bear in a work outing) and then put everything together

That means that someone (maybe the owner of the company or some other head) needs to use a "greasemonkey" app to encrypt usernames and passwords and give the resulting encryptions to the application administrators.

Don't forget there's also the db administrators which initially gave the owner an initial pair of credentials. The owner needs to change the password and then do everything I laid out.

In conclusion, there are many solutions, some wackier than others. It's not all in the tools and code but also in the discipline.

Answer 2

You can encrypt sections of your web.config. See this walkthrough on MSDN: http://msdn.microsoft.com/library/dtkwfdky.aspx It's pretty simple to follow.

Answer 3

You can try with following code,

ConnectionStringsSection oSection = Configuration.ServiceConfiguration.GetConnectionStrings();
    if(!oSection.SectionInformation.IsLocked && !oSection.SectionInformation.IsProtected)
    {
        oSection.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider"); 
        oSection.CurrentConfiguration.Save();
    }

EDIT:

you can get more information on Protected configuration from MSDN Link, http://msdn.microsoft.com/en-us/library/53tyfkaw.aspx

Answer 4

You can encrypt a particular section of a web.config file easily using the method shown in this document: Encrypting and Decrypting Configuration Sections

It is transparent for your application code and the encrypted section is useless outside the machine it was encrypted on.