tags:

views:

188

answers:

6
+2  Q: 

Storing passwords that can't be hashed in a server application

I have a .NET server application that must store passwords that can't be hashed because some APIs I use need the passwords in plain text.

These passwords can also be exported and imported as part of the system configuration into another server instance of the application or for backup purposes.

The encrypted data will definitely need to be readable by application instances on other servers besides the one it was exported from.

What is the most secure way to accomplish this without too much hassle for the user and minimum risk of data loss because of a lost/unavailable encryption key?

EDIT

I am looking more for details like:

  • How/where to store the key
  • Generating a unique key for each install and storing it vs an application wide common key

...not on which encryption algorithm to use.

EDIT II

I should add that this application will be distributed to customers to run on their own servers. It is a client/server application. The passwords stored are only used by our application to pass into external API methods. We don't use them for anything else.

The main concern is when the system configuration is exported as XML for backup or to move to a different machine. This is where we want to protect them, but also make it as easy and flexiable for the user as possible.

+2  A: 

Well if you're just looking for a strong algorithm, you could do much worse than using TripleDES. It might be 32 years old but it's still very strong.

If you want something a little newer, AES (originally Rijndael) is fine too.

You might want to compare the performance of each to see what fits you best.

Oli  2009-06-19 14:38:41
IMHO: When we're talking about the encryption of something like a password, I wouldn't even consider doing a performance comparison unless you're running your enrypt/decrypt code on a 286. Crypting large quantities of data? Sure. Short strings? Baah.
Yoopergeek  2009-06-19 14:49:14
+2  A: 

When it comes to encryption, the key is like a hardware dongle. Protect it with your life.

What server are you using? Most modern RDMBS come with encryption features that will handle encrypting the data for you while at rest, no external keys needed. This would at least protect the data while in the server...

Dave Swersky  2009-06-19 14:40:49
The application currently uses an internal VisaDB database, but it will support more external ones in the future. The config will be saved to an XML file when exported, and I am most worried about the passwords in this case.
Dana Holt  2009-06-19 14:50:55
A: 

you could have your program pgp encrypt them such that your customers pgp key could decrypt them and so could yours. the passwords would only be in plain text while the programming is using them.

mog  2009-06-19 14:41:36
+2  A: 

Actually, a good way would be to use the user-input password as a seed/key to generate an on-the-fly stronger password. Lots of servers do that all the time. That gives you several benefits. 1. No hassle to the users. 2. You can save the user passwords as a text file. 3. A machine generated password is way stronger than a password provided by a human. 4. You can generate new password with the same seed which makes your protocol stronger for replay attacks.

Try it out.

Elitecoder  2009-06-19 14:45:20
+1  A: 

After the edit in which you described what you are looking for, following are some more suggestions -

If you proceed with using the User password as a key or seed, the key can be stored in a database or even a CSV file correlating with the users. After thats accomplished, next question would be, whats better - generating a unique key every install or having a universal application key. Actually, having a universal application key is a bad idea for several reasons - 1. If it gets cracked once, all your previous exchanges can be cracked as well. 2. Its prone to replay attack, when an encrypted password can be replayed. 3. You should consciously keep changing this key from time to time.

Thus, on any day, generating a unique key is a much better idea. I think you should look into Diffie-Hellman Key Exchange. I think that will solve most of your problems. The concept of D-H key exchange is that, you use your own user provided key to establish a unique (every transaction) key for communication. The best part about this method is that, the actual key is never revealed and you can generate new passwords every time based on the same old seed/key.

Have a look into it.

Elitecoder  2009-06-19 15:09:09
A: 

We store credit card information using asymmetric public-key encryption. Many servers have the public key which is used to encrypt credit cards on the way in. Only our cc gateway application has the private key for decrypting and processing payments. The private key is installed as a cert on the production server.

Since you are storing passwords, you should probably still have a hash for fast user authentication.

http://en.wikipedia.org/wiki/Public-key_cryptography

Michael Valenty  2009-06-19 15:23:55

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?