Hi All

Bit of a newbie at this stuff but was wonering if anyone could offer me some
advice on a vb application and securing data.

I have a fairly basic vb 2005 application that connects to a sql 2005
database (Think of it as a journal). Some of the entries in this application
contain sensitive data that needs to be kept secure. What I am wondering is
the best method of doing this?

Should I encrypt the data in the application and store the encrypted text in
the database for the secure entries and then decrypt it on retrieval or
should I rely upon the security of the SQL server?

What do I need to consider in relation to :-

1. someone reverse engineering the application
2. intercepting the network traffic between the application and the sql
server
3. others having access to the sql server
4. anything else I might not have considered.

I appreciate any assistance or advice anyone might have to offer.

Regards

Hello ILR,

For your scenario, must the sensitive data be stored in SQL Server database
or if it's some simple data that can also be stored in configuration
file(such as app.config). In .NET Framework 2.0, there does provide many
new data protection/secure features that can help us conveniently secure
our application data. If the data should be stored in SQL Server, since
SQL server access include network connection and data transfering, I
suggest you manually encrypt the data if the size is not very huge.

You can consider using the DPAPI component in .NET
2.0(System.Security.Cryptography.ProtectedData class). You can have a look
at the following MSDN reference about how to perform data protection in
.NET:

#How to: Use Data Protection
http://msdn2.microsoft.com/en-us/library/ms229741(vs.80).aspx

here is another web article introduce other net security features in .NET
2.0

#New Security Features in .NET 2.0
http://www.theserverside.net/tt/articles/showarticle.tss?id=NewSecurityFeatu
res

In addition, if you have some sensitive configuration setting that need to
secure and want to store in configuration file, you can have a look at the
following article:

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn2.microsoft.com/en-us/library/ms998280.aspx

Though the above article is targeting ASP.NET web.config, the function also
apply for normal .net application(console or winform), see a former thread:

#Encryption of application configuration block
http://groups.google.com/group/microsoft.public.dotnet.general/browse_thread
/thread/1bbeeb01ae5ca5c6/70dd27a4598ab060?

Hope this helps you.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.