Using DES to encrypt database information and enhance the security of asp.net (1)--analysis

Asp.net| Security | security | encryption | data | Database in the actual database system development, we generally put the database connection string in the asp.net configuration file config.web, the connection string is generally as follows:
<appSettings>
<add key= "ConnStr" value= "server=192.168.2.36;database=mdata;uid=sa;password=111000"/>
</appSettings>

It is then read through the System.Configuration.ConfigurationSettings.AppSettings ["ConnStr"] method in the program, This greatly improves the convenience of program access. But this method also potentially produces the database security hidden danger, because as long as can read this configuration file's user, slightly understands the computer knowledge person immediately to be able to know the database The landing information, and carries on the login database, thus carries on each kind of operation. Although the server has many security settings, , the current network security is not very reliable, in terms of security or need more effort. If we can write the configuration file to the following values:
<appSettings>
<add key= "ConnStr" value= " 22c25fee2659a7f295eb4963aaae2d5474aa434036cc43892128e73112bc2b2c568e8d3f53efc7ac0f6413627d9d036e43a3e57c1953e21167760d12e 59E3443 "/>
</appSettings>
Even if the website source code was downloaded by the hacker, or the configuration file on the Web server leaked out, but this piece of code who can translate the original?

These irregular characters in the middle are not simple byte conversions. We can fully implement DES encrypted database connection information by using the powerful security features provided by. Net.
The theory of DES encryption here is not much to say, you can look at other information, we only talk about its implementation of the application. If friends can understand and believe its encryption strength: Then I will give you a little more talk about the specific implementation methods:

First of all, in order to develop and later the convenience of the department, we'd better be able to write a small tool for encryption and configuration file writing, because the database is deployed on different machines, the connection string is changed once, if the manual generation of encrypted strings and then modify the configuration file, this duplication of labor, may be a period of time, you will not stand, So let's find a way to do it once and for all (a bit exaggerated, nothing can be done once and for all) and write a gadget yourself. I also try to find a place to upload tools and implementation methods online, if interested friends, can look.
First of all, the key to decryption: encryption methods and decryption methods are as follows, if you can not completely understand that these two methods do not affect our use: We only need to know the call rules can
#region Encryption method
Ptoencrypt is required to encrypt strings, skey as keys
public string Encrypt (string ptoencrypt, String SKey)
{
DESCryptoServiceProvider des = new DESCryptoServiceProvider ();
Put the string in the byte array
Originally used UTF8 encoding, I changed it to Unicode encoding, no
byte[] Inputbytearray = Encoding.Default.GetBytes (Ptoencrypt);

Establish keys and offsets for encrypted objects
Make input password must enter English text
Des. Key = ASCIIEncoding.ASCII.GetBytes (SKey);
DES.IV = ASCIIEncoding.ASCII.GetBytes (SKey);
MemoryStream ms = new MemoryStream ();
CryptoStream cs = new CryptoStream (MS, Des. CreateEncryptor (), cryptostreammode.write);

Cs. Write (Inputbytearray, 0, inputbytearray.length);
Cs. FlushFinalBlock ();
StringBuilder ret = new StringBuilder ();
foreach (Byte b in Ms.) ToArray ())
{
Ret. AppendFormat ("{0:x2}", b);
}
Ret. ToString ();
return ret. ToString ();
}
#endregion
#region Decryption method
Ptodecrypt for the need to decrypt the string, skey the key
public string Decrypt (string ptodecrypt, String SKey)
{
DESCryptoServiceProvider des = new DESCryptoServiceProvider ();
byte[] Inputbytearray = new BYTE[PTODECRYPT.LENGTH/2];
for (int x = 0; x < PTODECRYPT.LENGTH/2 + +)
{
int i = (Convert.ToInt32 (ptodecrypt.substring (x * 2, 2), 16));
INPUTBYTEARRAY[X] = (byte) i;
}

Establishes the key and offset for the encrypted object, which is important and cannot be modified
Des. Key = ASCIIEncoding.ASCII.GetBytes (SKey);
DES.IV = ASCIIEncoding.ASCII.GetBytes (SKey);
MemoryStream ms = new MemoryStream ();
CryptoStream cs = new CryptoStream (MS, Des. CreateDecryptor (), cryptostreammode.write);
Cs. Write (Inputbytearray, 0, inputbytearray.length);
Cs. FlushFinalBlock ();
To create a Stringbuild object, Createdecrypt uses a stream object and must turn the decrypted text into a stream object
StringBuilder ret = new StringBuilder ();
Return System.Text.Encoding.Default.GetString (Ms. ToArray ());
}
#endregion
Note that the skey is a eight-bit string, and must be encrypted and decrypted in the same order. To enhance ambiguity, we can use a combination of nonprinting ASCII code to get skey when the program is initialized, as follows:
Int[] Tmp=new int[8]{23,234,195,165,201,240,143,198};
foreach (int i in TMP)
{
skey+= ((char) i). ToString ();
}
Use the tools we write to add and decrypt the configuration file (the tool also involves some XML manipulation methods), you can either read the original configuration information, or overwrite or add the configuration section. There is one place we should also note that reading the original configuration information, can not let the password information presented, also cannot be presented as "* * * * "Mask form, a lot of tools on the web, such as the password viewer, just go to the Password box. The original password was immediately exposed. And we have to do with this kind of software to look at some of the" Hu "characters, But keep the original password when the user does not make any changes to the read password. So how to achieve it. This little trick, leave your friends in the code for a look.
Below say we in the Web program how to use the encrypted connection information, also very simple, the original method reads the configuration file ConnStr section information, then carries on the above method to decrypt, certainly decrypts uses the key to also must and the encryption time consistent. After the decryption is successful, OK!
The code is as follows:
String strconn = system.configuration.configurationsettings.appsettings["ConnStr"];
ConnStr = Decrypt (Strconn,skey);
Conn=new SqlConnection (CONNSTR);
The code you look at it, I will not spit disorderly fly it.

Look for a moment, found that the blog did not upload the file place, originally wanted to write me the ready-made tools and source code upload, it seems to want to do a Lei Feng is also difficult, no way, then temporarily put the source code out, interested in a friend to compile a look.
The source code on the next bar, so that looks uniform.
If you friends have a better way, then we may wish to exchange more exchanges!