Use des to encrypt database information and enhance Asp.net Security (1)-Analysis

In actual database system development, we usually put the database connection string in the configuration file config. web of Asp.net. The connection string is generally as follows:
<Deleetask>
<Add key = "connstr" value = "Server = 192.168.2.36; database = mdata; uid = sa; Password = 111000"/>
</Appsettings>

ThenProgramThrough system. configuration. configurationsettings. appsettings ["connstr"] method, which greatly improves the convenience of program access. however, this method may also cause database security risks. As long as users who can read this configuration file have a little knowledge about computers, they can immediately know the database login information, and log on to the database to perform various operations. although the server has many security settings, the current network security is not very reliable, and more efforts are needed in terms of security. if we can write the configuration file to the following values:
<Deleetask>
<Add key = "connstr" value = "comment"/>
</Appsettings>
Even if the website source code is downloaded by hackers or the configuration file on the Web server is leakedCodeWho can translate the original text?

These irregular characters in the middle are not obtained by simple byte conversion. We can use the powerful security function provided by. Net to implement des to encrypt database connection information.
We will not talk about the theory of DES encryption here. You can refer to other materials. Here we will only talk about its implementation and application. if my friends can understand and believe in its encryption strength, I will talk about the specific implementation method below:

first, for the convenience of development and future deployment, we 'd better write a small tool for encryption and configuration file writing, because the database deployment changes the connection string once on different machines, If you manually generate an encrypted string and then modify the configuration file, this repetitive effort may take some time, and you will not be able to stand it, therefore, we can find a method that is always done once and for all (a little exaggerated, nothing can be done once and for all) and write a small tool by ourselves. I also try to find a place to upload tools and implementation methods to the Internet. If you are interested, you can check them out.
let's take a look at the key encryption and decryption methods: the encryption method and the decryption method are as follows. If you cannot fully understand these two methods, they will not affect our use: you only need to know the call rules.
# region encryption method
// ptoencrypt is the string to be encrypted and skey is the key.
Public String encrypt (string ptoencrypt, string skey)
{< br> descryptoserviceprovider des = new descryptoserviceprovider ();
// put the string in the byte array
// The original utf8 encoding, I changed it to unicode encoding. No.
byte [] inputbytearray = encoding. default. getbytes (ptoencrypt);

// Create the key and offset of the encryption object
// Make sure that you enter the English text for the password
Des. Key = asciiencoding. ASCII. getbytes (skey );
Des. IV = asciiencoding. ASCII. getbytes (skey );
Memorystream MS = new memorystream ();
Cryptostream cs = new cryptostream (MS, Des. createencryptor (), cryptostreammode. Write );

CS. Write (inputbytearray, 0, inputbytearray. Length );
CS. flushfinalblock ();
Stringbuilder ret = new stringbuilder ();
Foreach (byte B in ms. toarray ())
{
Ret. appendformat ("{0: X2}", B );
}
Ret. tostring ();
Return ret. tostring ();
}
# Endregion
# Region Decryption Method
// Ptodecrypt is the string to be decrypted and skey is the key
Public String decrypt (string ptodecrypt, string skey)
{
Descryptoserviceprovider des = new descryptoserviceprovider ();
Byte [] inputbytearray = new byte [ptodecrypt. Length/2];
For (INT x = 0; x <ptodecrypt. Length/2; X ++)
{
Int I = (convert. toint32 (ptodecrypt. substring (x * 2, 2), 16 ));
Inputbytearray [x] = (byte) I;
}

// Create the key and offset of the encryption object. This value is important and cannot be modified.
Des. Key = asciiencoding. ASCII. getbytes (skey );
Des. IV = asciiencoding. ASCII. getbytes (skey );
Memorystream MS = new memorystream ();
Cryptostream cs = new cryptostream (MS, Des. createdecryptor (), cryptostreammode. Write );
CS. Write (inputbytearray, 0, inputbytearray. Length );
CS. flushfinalblock ();
// Create a stringbuild object. createdecrypt uses a stream object. The decrypted text must be converted to a stream object.
Stringbuilder ret = new stringbuilder ();
Return System. Text. encoding. Default. getstring (Ms. toarray ());
}
# Endregion
Note that the skey is an eight-bit string, which must be consistent with the encryption and decryption. to enhance the ambiguity, we can use a combination of non-printable ASCII codes during program initialization to get the skey, as shown below:
Int [] TMP = new int [8] {23,234,195,165,201,240,143,198 };
Foreach (int I in TMP)
{
Skey + = (char) I). tostring ();
}
Use the tool we wrote to encrypt and decrypt the configuration file (this tool also involves some XML operation methods), which can read the original configuration information, and rewrite or add configuration sections. note that when reading the original configuration information, the password information cannot be displayed or displayed as a "******" Mask, there are a lot of tools and software on the Internet, such as the password viewer, as long as they are placed on the password box. the original password is exposed immediately. however, we still need to use this type of software to view some "*******" characters, but the user will continue to keep the original password when the user does not modify the Read Password. how can this problem be achieved. this tip is left for friends to find it in the code.
The following describes how to use encrypted connection information in a web program. It is also very simple. Read the connstr section of the configuration file using the original method and decrypt it in the preceding method, of course, the decryption key must also be consistent with the encryption key. after successful decryption, it will be OK!
The Code is as follows:
String strconn = system. configuration. configurationsettings. receivettings ["connstr"];
Connstr = decrypt (strconn, skey );
Conn = new sqlconnection (connstr );
These codes will be displayed at a glance, so I won't be confused.

I found that this blog does not have a place to upload files. I was thinking about writing my ready-made tools andSource codeUpload it up. It seems that it is difficult to be a Leifeng. If you have no choice, post the source code for the moment. If you are interested, compile it for yourself.
Put the source code in the next article, which looks unified.
If you have a better solution, we may wish to have more exchanges!