Dave Bouwman - IWorkspace.ConnectionProperies: How safe is the password?

Wednesday, February 28, 2007

IWorkspace.ConnectionProperies: How safe is the password?

Posted on Wednesday, February 28, 2007 2:55:20 PM (Mountain Standard Time, UTC-07:00)	Comments [2] \|
Categories: ArcMap \| Geodatabase \| Security

[UPDATE 3/1/07 8:00am : After a few emails with ESRI, they agreed that discussing their public API, as it relates to the security of passwords is reasonable, and they have confirmed that the password that is returned by IWorkspace.ConnectionProperties is encrypted. For obvious reasons they will not disclose any of the technical details. Thanks to ESRI for confirming this, and for permitting me to share the answer.]

[UPDATE 2/28/07 7:50pm : I received a request from ESRI to take this posting, and my related forum post down because they discuss security and encryption related to their software. At this time, I'm taking the posting down, and will work with them to determine a reasonable update. Stay Tuned]

[ORIGINAL POSTING]
I posted a question [I deleted it's contents at ESRI's request] over at the ESRI forums about this, but thought I'd also throw it out here as well. Essentilly, I'm looking to build a secure application, and I want to know if it's possible to extract the connection password from the data returned by IWorkspace.ConnectionProperties. I posted some VBA code from an EDN sample that pulls the connection properties from the first layer in the map and displays the properties in a popup. All I added was a few lines which would actually write out the password byte array.

What I'd like to know (preferably from someone @ ESRI) just what that byte array is. I suspect it's the password encrypted, but it could also be a hash. If it is the password encrypted, where is the key? How safe is it? If it is a hash, is it reversible?

[Clarification: In my original posting, I had asked a series of rhetorical questions (above) - I did not expect to get these answers from ESRI, nor do I really want them - I really just wanted to know that the password is "relatively" safe - i.e. encrypted.]

Wednesday, February 28, 2007 6:53:00 PM (Mountain Standard Time, UTC-07:00)

They'd tell you, but then they'd have to kill you.

You can't do anything with it, that's for sure (I've asked). If *you* need the password, you have to ask the user yourself.

Rich Ruh

Thursday, March 01, 2007 8:28:31 AM (Mountain Standard Time, UTC-07:00)

Rich,

I was more interested in the possibility of a user running some simple VBA code and getting the password. Our application is going to manage the connection to ArcSDE, so I want to be sure that those credentials are secure.

Dave

Dave

Comments are closed.

Welcome

I'm Dave and this is my blog. I'm usually writing about .NET Software Development, ArcGIS, or Agile Practices, but other stuff does creep in from time to time. I hope you find something of use, and feel free to contact me if you have any questions. You can also check out my profile on LinkedIn

Twitter

dbouwman: was out in Ft Lauderdale for the first 3 days this week and then heads down with some ASP.NET MVC for the rest of it. It rocks btw. More ltr
Created 1 week, 10 hours ago
dbouwman: don't want to be a total fan-boy, but ASP.NET MVC is really really really sweet...
Created 2 weeks, 3 days ago
dbouwman: wondering if I'll return to twittering.
Created 3 weeks, 3 days ago
dbouwman: is mid-pave on workstation & up to his ears in MbUnit + RhinoMocks + AGS/ArcObjects and headed out for a short-list interview in Utah. Fun!
Created 5 weeks, 3 days ago
dbouwman: Intitiating re-pave of Workstation & downgrade to Vista32...
Created 5 weeks, 4 days ago

Search

Resources

dojo.DTSAgile.com is our technology preview / demo site. As I and my team cook up cool things we post them here.

ArcDeveloper.net is a site that hosts a set of open source projects related to ArcGIS. This includes Tile Cache for .NET (TC4N) and Feature Server for .NET (FS4N). Come over and check it out!

Assembla is a free service that provides Subversion source control, wikis and work Tracking. The ArcDeveloper project is run from here. It rocks. Check them out today.

Agilistas is a LinkedIn group focused on discussing and promoting Agile practices. Everyone is welcome to join in the conversation as we evolve the process of creating software to make it more enjoyable for all involved.