Performance question: SQl Server CE 3.1 secured with a password.

Question

Hello.

I'm developing a Windows Mobile 5.0 and above application with C#, .Net Compact Framework 2.0 SP2 and SQl Server CE 3.1.

I need to store some secret information on Sql Server CE database and I wondering if I encrypt database with a password could affect application's performance.

I'm also thinking to store the password in an assembly would be useless since you can disassemble the assembly and recover the password.

Is going to affect performance?

How can I store password database to avoid retrieve it?

Thank you.

Answer 1

I have to point out that "security" of an application is really only a relative answer because no matter how good you are protecting your source from disassembly there is always a cracker who could break if they choose to. C# is particularly vulnerable to this since you easily see into almost any class using Reflector which is why there is a whole suite of products out there for protecting and obfuscating your assembly.

Honestly almost none of it is worth the time or the cost it can cause in damage to your company / customer base. Take for instance Open letter to XHEO: That is not a good way to do business this could easily happen with any security providers' software or anything you custom write.

But the simplest answer to your question on how to store the password would to be just make a web service call and retrieve it from your server. Of course this will only work if the application can access the internet reliably and seeing as it's windows mobile that you would want to bar users from your application if they are offline. The long answer comes down to how important it is to protect that information and how much dollar value is worth being applied to it for either purchasing a solution or investing the development hours to do it yourself.