Encryption - how do I store a password/key in my App?
-
Hi all, I'm working on a C# project and need to store sensitive data (things like authentication tokens for web services etc.). Because C# applications can easily be reverse-engineered I want to encrypt/obfuscate these values with one of the provided encryption classes. However, to decrpyt these values at runtime I need the key/initialization vector. These would need to be stored inside the application as well -> they're visible in a decompiler. That's some kind of "chicken and egg" problem, does anyone have a hint or solution for this? Thanks If a train station is where the train stops, what's a workstation...?
-
Hi all, I'm working on a C# project and need to store sensitive data (things like authentication tokens for web services etc.). Because C# applications can easily be reverse-engineered I want to encrypt/obfuscate these values with one of the provided encryption classes. However, to decrpyt these values at runtime I need the key/initialization vector. These would need to be stored inside the application as well -> they're visible in a decompiler. That's some kind of "chicken and egg" problem, does anyone have a hint or solution for this? Thanks If a train station is where the train stops, what's a workstation...?
The normal solution to this problem is to store the hashed value of the password. When the user enters his/her password, the application hashes it and compares it with the stored hash value to see if they match. Regards Senthil _____________________________ My Blog | My Articles | WinMacro
-
The normal solution to this problem is to store the hashed value of the password. When the user enters his/her password, the application hashes it and compares it with the stored hash value to see if they match. Regards Senthil _____________________________ My Blog | My Articles | WinMacro
But I don't want users to have to enter a password for two reasons: 1. A user shouldn't have to care about internal things 2. The user password (which equals the one hashed and put in the source) has to be given to each user If a train station is where the train stops, what's a workstation...?
-
But I don't want users to have to enter a password for two reasons: 1. A user shouldn't have to care about internal things 2. The user password (which equals the one hashed and put in the source) has to be given to each user If a train station is where the train stops, what's a workstation...?
Microsoft provides the DPAPI, which provides additional encryption services for this purpose. See http://www.obviex.com/samples/dpapi.aspx[^] for an example.
-
Hi all, I'm working on a C# project and need to store sensitive data (things like authentication tokens for web services etc.). Because C# applications can easily be reverse-engineered I want to encrypt/obfuscate these values with one of the provided encryption classes. However, to decrpyt these values at runtime I need the key/initialization vector. These would need to be stored inside the application as well -> they're visible in a decompiler. That's some kind of "chicken and egg" problem, does anyone have a hint or solution for this? Thanks If a train station is where the train stops, what's a workstation...?
If you are truely paranoid about it there are a few things you can do: 1) Write a C function that returns all of your information and compile it into a DLL. Use P/Invoke to retrieve the information. Make sure all of the string data you store in the DLL is encrypted. When you return it from the C function you can unencrypt it at that time. Store the keys in the DLL as a byte array not a string to prevent 'strings' processing. 2) Write a COM dll that does the same thing as 1 There are problems with this as well because anyone else can load the C function, or COM object and invoke the required methods. There is also the question of hiding information from one customer to another. You could do a one-time key gen and store it on the client machine. This would prevent one customer from obtaining information that might be important to someone else if they got a hold of their data files. Yet another approach would be to use an algorithmic key generation approach. This would involve using a complex sequence of steps that produce a static key. The key wouldn't embeded in the software, but the algorithm that generates the key would be in the code. This code then could be obfuscated adding another layer of protection (Protection being relative in this case). Always remember that if a client has binaries on their machine, it's difficult to absolutely prevent them from getting a hold of important data. That being said, you can make it so difficult to obtain the information that it's not worth it. Now for the security experts, security by obscurity is not a good option. All of the methods I have mentioned is security through obscurity. Normally when it comes to security you need to base on it something else, like 'things they have', 'things they know', etc... - Drew