A simple solution to protect the connection string Encryption By Using the winform deployed in clickonce can effectively prevent database addresses from being exposed by decompilation.
A self-used multi-user invoicing project encountered the following scenarios:
1. For every store/warehouse user to be updated in a timely manner, the software adopts the clickOnce deployment method, which allows anyone to download the release address as long as they know the release address.
2. Currently, only one SQL database space has been purchased, and no web space such as a virtual host has been purchased (the space used for deployment is resolved to your computer by 3322 ), therefore, you cannot use websevices to perform operations on the middle layer. You can only use a client to connect directly.
The biggest risk of connecting the client to the database is that the database address will be exposed if it is decompiled, which is very insecure. Generally, encryption and decryption used must be written to the program, if it is decompiled, it will be exposed together to achieve the encryption purpose.
I used a clever method in the project: using the digital signature of the file as the key for encryption, the specific approach is:
1. Put a KEY file at a specified position in the system. The software reads the MD5 value of the file as the KEY and encrypts the connection string with AES/DES, put the encrypted string in the configuration file of the software.
2. The KEY file will be directly issued to the user (internal system, controllable by the user) and placed in the specified system path, the software reads the MD5 value of the file as the key and then decrypts DES/AES.
The advantage is that even if the program is decompiled, the encrypted string is displayed, and the decryption fails if the key file is not obtained.
The key file is distributed in another way and is not released along with the software. Even if the program is downloaded, the key file still cannot be obtained.
The implementation is also very simple:
Step 1: Prepare a KEY file, which can be any file, an image, a document, or a song. Note: Once the file is used as a KEY file, it cannot be modified, otherwise, the MD5 value is changed, and decryption cannot be performed.
Part 2: Read the MD5 value of the modified file. Core code: (because the encryption key must be 8 bits, you can extract 8 bits from any result)
FileStream file = new FileStream ("filePath", System. IO. fileMode. open); // filepath is your key file path. It is recommended to put MD5 md5 = new MD5CryptoServiceProvider (); byte [] retVal = md5.ComputeHash (file); file in drive C. close (); StringBuilder sb = new StringBuilder (); for (int I = 0; I <retVal. length; I ++) {sb. append (retVal [I]. toString ("x2");} return sb. toString (). substring (10, 8 );
Third part: encryption: the Core code (using DES, AES is equivalent) (the encryption method does not need to be written to the program, but only needs to write the encryption result to the program configuration file)
Public static string DESEncrypt (string plainStr) {byte [] bKey = Encoding. UTF8.GetBytes (Key); // the return value of the second key is byte [] bIV = Encoding. UTF8.GetBytes (@ "L % n67} G \ Mk @ k % :~ Y "); // encryption vector. You can set byte [] byteArray = Encoding. encrypt (plainStr); string encrypt = null; DESCryptoServiceProvider des = new DESCryptoServiceProvider (); using (MemoryStream mStream = new MemoryStream () {using (CryptoStream cStream = new CryptoStream (mStream, des. createEncryptor (bKey, bIV), CryptoStreamMode. write) {cStream. write (byteArray, 0, byteArray. length); cStream. flushFinalBlock (); encrypt = Convert. toBase64String (mStream. toArray () ;}} des. clear (); return encrypt ;}
Part 4: decryption: Core code (connect with the decrypted string)
Public static string DESDecrypt (string encryptStr) {byte [] bKey = Encoding. UTF8.GetBytes (Key); // the return value of the second key is byte [] bIV = Encoding. UTF8.GetBytes (@ "L % n67} G \ Mk @ k % :~ Y "); // The vector should be equivalent to the vector byte [] byteArray = Convert in the third part. fromBase64String (encryptStr); string decrypt = null; DESCryptoServiceProvider des = new DESCryptoServiceProvider (); try {using (MemoryStream mStream = new MemoryStream ()) {using (CryptoStream cStream = new CryptoStream (mStream, des. createDecryptor (bKey, bIV), CryptoStreamMode. write) {cStream. write (byteArray, 0, byteArray. length); cStream. flushFinalBlock (); decrypt = Encoding. UTF8.GetString (mStream. toArray () ;}} catch {} des. clear (); return decrypt ;}
Well, isn't it easy? Now, even if your program is downloaded and decompiled by someone else, it's not easy for him to take the key file away from your computer. As long as the key file is not lost, it is basically difficult to decrypt it.
Running instance: Which key file is used for encryption, you can only use it for decryption. Once replaced or lost, it cannot be decrypted. The principle is similar to binding a machine's MAC address, but it is more flexible to use a file instead.