Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
WinFormsApp Login passes information to .php (server based) Login (provided credentials are correct) to DB to retrieve Decryption Key. WinFormsApp then uses Decryption key on Hardcoded encrypted connection string and renders application usable.
This would then eliminate the necessity to encrypt/decrypt a connection string at runtime, virtually rendering any unauthorized person with a useless software.
Is there anything wrong in my thought process?
If the decryption key is being sent in plain text back to the WinForms application, then that’s technically a security hole. But since you can only get it if you successfully authenticate, it’s mitigated somewhat. To raise the security bar a little higher, you could encrypt the decryption key using a hardcoded encryption key on both ends. That’s not totally fool proof, but sometimes security isn’t about being 100% fool proof, it’s just raising the bar high enough. It depends on how secure it needs to be. A more thoroughly secure design would be to have the server side do all the data access so the client doesn’t need the connection string, but that I’m sure would require considerable redesign. Alternatively, you could use integrated security if it is SQL Server.