tags:

views:

906

answers:

6
+8  Q: 

C# encryption in the age of reflector

Hi everyone,

I have a program, where the password to a database is set by a remote user. The program saves the username and password to an encrypted string in an xml file that otherwise should be human readable. Now, this works fine, I use the C# DES encryption with a key, and it get encrypted and decrypted. Now, the problem is that anyone can use reflector to see the key. Even with obfuscation, the key should be readily apparent. So, how does one deal with this? Now, I don't need this to be NSA secure, but I really would like to prevent anyone from peeking. Thanks.

EDIT: Thanks for all of the advice so far, information on this sort of thing is not very widespread, and I really appreciate general tips as well as specific answers.

+5  A: 

This is not really a problem about relector or not. It is about key management. DES and any other encryption scheme relies on keys being changed on a regular basis. Hard coding the key in code obviously violates this. To get around this, you should look into key management.

EDIT: To elaborate a bit: Depending on you setup, you could store the hashed passwords in the file system and rely on file system/user security or in a database an rely on the database rights.

Brian Rasmussen  2009-07-16 19:47:06
could you be more specific in how one would go about handling this?
Steve  2009-07-16 19:48:37
Please comment when down voting. Thanks.
Brian Rasmussen  2009-07-16 19:58:23
+2  A: 

Unfortunately, there's never a 100% secure way of doing this. You can obfuscate the code, use unmanaged code for secret areas, but since your application is able to read the password again, so can any attacker who puts enough effort into it.

chris166  2009-07-16 19:49:57
+8  A: 

Try using DPAPI (System.Security.ProtectedData class). This protects your encrypted data using the user or machine credentials. So only the user account that's accessing the data (user credentials) or a user that can log in to the machine (machine credentials) will be able to decrypt your data.

Joe  2009-07-16 19:50:49
this approach works well for server side programs, but doesn't scale well for client side
Scott Weinstein  2009-07-16 19:59:35
@Scott can you clarify
Remus Rusanu  2009-07-16 20:03:58
This works especially well for client side code. It is harder to use DPAPI on a server side application (impersonation, service account access to profiles, etc.). On a client the user specifies their password on the first run of the app which is encrypted with their DPAPI key. The encrypted data is stored on their system so that only they (or an admin) can decrypt that data. When the user starts up the app again, DPAPI uses their keys to decrypt the password. You get the benefit of not storing a common encryption key in the assembly where it can be easily cracked.
Joe Kuemerle  2009-07-16 20:13:10
+1  A: 

You shouldn't be storing the password encrypted at all. You should be storing it hashed instead, with a one way hash function. See:

http://www.codinghorror.com/blog/archives/000953.html

Alex319  2009-07-16 19:50:54
Doesn't help in the OP's situation, where he needs the password to access an external resource (a database).
Joe  2009-07-16 19:53:32
And how exactly would you present a *hash* in a connection string?
Remus Rusanu  2009-07-16 19:54:30
+1  A: 

We had a similar situation. We ended up putting the key in a file and having the user enter some sort of password (or key using hashing) to be able to read the file. It was the pain of making the user enter more information, but it removes the key from the program.

SwDevMan81  2009-07-16 19:53:18
+4  A: 

You shouldn't encrypt your password using a secret embedded in your application, that is the root of your troubles. No matter how strong your encryption is, the key is clearly exposed in your code.

You should ask your user for the credentials, store the db user/name and password in an ordinary configuration section in your app.config and rely on the DPAPI backed DpapiProtectedConfigurationProvider class to encrypt and decrypt the section for you, using either the machine keys or a user specific key. See the link I provided for a full example how to do this.

Remus Rusanu  2009-07-16 20:02:58

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?