I’m writing a small business application using C# (.NET 4.0, SQL CE 4.0 database). The database is encrypted (SQL CE supports database encryption), but as far as I know, from http://msdn.microsoft.com/en-us/library/aa257373(v=sql.80).aspx password:
Can be up to 40 characters long.
Can contain letters, symbols, digits, or a combination.
Cannot be recovered.
My user will input password for the application, which probably won’t be very complex and secure. Thus I wanted to somehow modify the user password to create a more secure password for database encryption. From what I know there is Rfc2898DeriveBytes Class, which derives bytes from password. But I need valid characters ( Allowed character for SQL Server CE password? ) for database password, which means that I probably can’t use toBase64String().
My idea so far is to create a random and secure password for database and save it to a file, which would be encrypted using AES256, with key derived from user password. Is there any better way to do this?
Also how could I accomplish that multiple users with each having their own password for application could access the same database with the same database password?
Thank you for your time and answers
You can not do this directly: A function, that converts all user passwords to the same database password would defeat the purpose of DB encryption. It is isomorphous to storing the DB password in the app.
This is not to say, that there isn’t an easy way around it:
Inside this have a simple table:
User | EncryptedPassword(all Strings)For every user have a row in this file (or a line if it is a text file) containing the username and the DB password encrypted with the user password (obviously a binary hash of the pw, store as base64)
When a user logs in, use the given password to decrypt the
EncryptedPasswordfield for this user, this should be the DB password, which you now can use to open the DBThis also means, that a wrong user password is detected by failure to supply the correct SQL database password.