堆栈内存溢出
  简体   繁体   English

C#Winforms应用程序与Access DB的安全连接

[英]C# Winforms application secure connection to Access DB

 原文  2012-06-03 12:34:32       c#/ winforms/ desktop-application/ .net/ eazfuscator

问题描述

I have a C# 2010 Winforms application that uses OleDb to connect to an Access 2010 database which is password protected. 我有一个使用OleDb连接到受密码保护的Access 2010数据库的C#2010 Winforms应用程序。 This is not an online application! 这不是在线应用程序!

I currently store the password in plain text in the connection string [I know this is horribly insecure] which is obfuscated using Eazfuscator.NET . 我目前将密码以纯文本格式存储在使用Eazfuscator.NET进行了混淆的连接字符串中[我知道这是非常不安全的]。 I am interested in a way to securely store the password in such a way that it cannot be obtained by decompiling or any other practical methods. 我对一种安全地存储密码的方式感兴趣,这种方式无法通过反编译或任何其他实用方法获得。

I am aware that there are methods to do this for ASP.NET applications by encrypting the connection string in app/web.config but it would not work for me since my application is a desktop application. 我知道有一些方法可以通过对app / web.config中的连接字符串进行加密来为ASP.NET应用程序执行此操作,但是由于我的应用程序是桌面应用程序,因此它对我不起作用。

So far I didn't find any method to achieve this. 到目前为止,我还没有找到实现此目的的任何方法。

Here is what I have thought of doing: 这是我想做的事情:

Request a password from the user, since there will be only one user who will have access to the database. 向该用户请求密码,因为将只有一个用户有权访问该数据库。 Get a hash (SHA1 / SHA512) for the input password, select a certain number of characters from the hash, salt it, add it to the connection string and try to connect. 获取输入密码的哈希值(SHA1 / SHA512),从哈希值中选择一定数量的字符,对其加盐,然后将其添加到连接字符串中并尝试连接。

Obviously, if the user would forget the password, there would be absolutely no way to gain access to the database other than by using brute force. 显然,如果用户忘记了密码,除了使用蛮力外,绝对没有其他方法可以访问数据库。

Is there any way to store the password used in the connection string in the program so that it cannot be obtained by any practical means? 有什么方法可以在程序中存储连接字符串中使用的密码,以致于无法通过任何实际手段获得它?

2 个解决方案

解决方案1
 1  2012-06-03 12:37:59

You should generate a long random secure password for the database, then encrypt it using the ProtectedData class. 您应该为数据库生成一个较长的随机安全密码,然后使用ProtectedData类对其进行加密。
This will encrypt it using the user's Windows logon password, so that it will be impractical to read it unless the user is logged on. 这将使用用户的Windows登录密码对它进行加密,因此除非用户已登录,否则读取它是不切实际的。

解决方案2
 0  2012-06-03 13:05:44

You could use a DSN and store the username and password there, rather than in the app, but then any app that knows the DSN can use the database and the credentials are available in the registry in plain text. 您可以使用DSN并将用户名和密码存储在此处,而不是存储在应用程序中,但是任何知道DSN的应用程序都可以使用数据库,并且凭据在注册表中以纯文本格式提供。

What are you trying to defend against, the app getting into the wild? 您正在为什么辩护,使应用程序变得疯狂? The database? 数据库? An unauthorised user sitting at the machine? 是否有未经授权的用户坐在机器旁? The password has to live somewhere... 密码必须存放在某处...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 .net Winforms应用程序的安全连接 - Secure connection of .net winforms application 在C#WinForms应用程序中使用Oracle DB - Using Oracle DB in a C# WinForms application 使用本地Db构建C#WinForms应用程序 - Building a C# WinForms application with a local Db 具有多个表单的C#WinForms应用程序中的连接问题 - Connection issue in C# WinForms application with multiple forms 在C#.Net的WinForms应用程序中启用对注册表的访问 - Enable access to registry in WinForms application of C# .Net 是否可以限制 ac# winforms 应用程序的内存访问 - Is it possible to restrict memory access of a c# winforms application 在没有MS Access的情况下如何通过C#连接到Access DB? - How C# connection to Access DB without MS Access? C#Winforms应用程序和FormsAuthentication - C# Winforms Application and FormsAuthentication 退出C#winforms应用程序 - Exiting a C# winforms application C#,WinForms 和应用程序图标 - C#, WinForms and application icon
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM