How do I securely hide database credential in C# application?

Question

I have a situation that users access remote MySQL server in C# application.

Basically,

A user using C# application on his/her desktop ->>>> connects to remote ->>>>>>>> [ REMOTE ]

How do I securely hide database connection detail?

I have few ideas, but I don't think they are safe.

1. Encrypt database connection data into a file and store it within application directory.
2. prompt login page and let a human enter username/password, then transfer database connection data to user's computer.

Answer 1

No matter what you do if the credentials end up in the application in cleartext you are vulnerable.

Either implement a service layer in front of the database or if direct connections are essential try and come up with a scheme that allows a unique databse account for each user and then authorise them appropriately on the database.

Answer 2

Generally, it's better to ask the user for the credentials so that each account can be enabled or disabled by the administrator. Barring that, there are APIs for encrypting all or part of the configuration file. Here's a sample article:

http://www.codeproject.com/KB/dotnet/EncryptingTheAppConfig.aspx