Click here to Skip to main content
15,895,283 members
Search within:


How to use salt for protected encryption pass
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
Hello, I am going to encrypt the connection string My DB so
We have almost specific encryption algorithms that do this, such as md5, aes and others

For example, if I encrypt this string containing of SQL Server connection with a key, for example @1234, with the AES algorithm in My c# Cod

In the my software I Should to register or save this key somewhere in my Application to DECOD encrypted string with this key

The main question is this :
If someone gets access to this key, they can easily unlock the encrypted string


I read somewhere that you can add something to the encrypted string with salt

But I didn't understand exactly how salt works, how it protects the encrypted string, and should I store this salt locally or not?

What I have tried:

how to use salt for protected encryption pass
Posted
Updated 9-Aug-22 17:51pm
v2
Add a Solution
Comments
PIEBALDconsult 9-Aug-22 21:49pm    
I see no reason to encrypt the connection string unless it contains a password -- and it should definitely _not_ contain a password.
With SQL Server, use Integrated Security.

2 solutions

Encryption salts are just a mechanism to add some randomness to the encrypted string, it doesn't necessarily protect your password from being decrypted. The reason someone may choose to use a salt is because popular encryption methods (ie. MD5, SHA1) have large hash tables available to download (which is like a map saying "This MD5 string = this password"). If you didn't use a salt as part of the encryption then these hash tables could be used to brute-force a password. Adding the salt simply means that the result of the encryption shouldn't be the same as a value expected in a hash table.

All that being said, I'm going to go out on a limb and say that there's no real way to guarantee that someone won't manage to get the connection string anyway. In C#, it's extremely easy to decode a compiled C# application back to the original code. You can try obfuscating the code, but it's still breachable. Even if you stored some "salt" or "encryption key" somewhere hidden deep down on the computer, somebody would still find it.

If you really want to have your C# application connect to some sort of central database, consider instead building an accompanying web API, and have your C# application talk to the API to do it's operations (that way, you can safely store the database and database connection details on the API server, not exposed to users). You can manage people's permissions more effectively, and you can have finer-grain control over things like how long a user remains logged in, and can immediately grant or revoke function access.
 
Share this answer
 
Posted
There seems to be a bit of confusion.

MD5 is a cryptographic hashing algorithm, not an encryption algorithm. The difference is the result of a hash cannot be decrypted, or "un-hashed", back to the original content. Encryption can be decrypted to return the original content.

Salting is usually only appropriate for hashing operations, not encryption. The reason you salt the data you hash is because duplicate, unsalted data, will return the exact same hash value for each instance. For example, when used to hash passwords, users that the use exact same password will have the exact same hash value in the database, making it easier for an attacker to figure out what the password is. Salting the passwords with different salt data will result is different hash values for the same password, making it appear as though each user has a different password.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to Encrypt using SHA512 with Salt?
How do I add a MD5 encryption with a salt in mvc 4?
Decrypt file encrypted with gnupg
Problem in Encryption of URL in ASP.NET.
Encrypt files stream in c# for protect files
What are the different ways in which we can encrypt a string in C# without using salt key.
How to protect a excel worksheet using C#
How to Match Hash with Salt Password in C#
Searchable encryption solution
Can we write AES enryption in javascript and decryption in java using a static SALT and IV

Advertise
Privacy
Cookies
Terms of Use
Last Updated 9 Aug 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900