tags:

views:

186

answers:

3
Q: 

Secure Database Backend for Windows Application that users can't hack into easily.

I'm writing a database driven windows application and both the executable and database need to be installed on the customers machine.

Is there a database that I can use as a backend to my application that the user can't get into even though the user is using the same machine that the database is stored on.

As far as I can tell, Postgres won't work for this, and the versions of access that I have tried are easy to get the crack the passwords for.

My application has to be able be installed on a laptop and be useable even when there is no internet access, so the usual client-server database models just don't work.

I have considered using a VMWare virtual appliance with Postgres installed on some version of linux, but this would have a pretty heavy system load.

I would prefer to not have to use encripted text files or something like that.

+1  A: 

How critical is the data? Encrypting data on your system using standard RSA or AES with a key stored and encrypted in your application will keep your mum and dad user away.

But if you can't keep the secret out of the client application, then you're going to have trouble here.

Spence  2009-08-14 04:34:06
It's not super critical data, like banking information or something like that. I know I probably can't keep anyone really serious out.The goal is mostly to keep the users from screwing up the database, building their own applications to connect to it, etc.I could encript some of the fields in the database, but that doesn't address the problem of trying to keep the users from adding or deleting stuff manually.
 2009-08-14 04:41:19
Ah but it does. You can add a "salt" to each row and encrypt the data. if you want to be really mean you could even encrypt the row and table names, you can do this with a precompile script to have a mapping between your names and a design set of names.Also if you have the salt, you can stop the user from adding or modifying rows. You obviously can't stop the deletion as any security you do they can override as the local administrator.
Spence  2009-08-14 04:45:33
+2  A: 

Since users (or hackers) own the machine, there is nothing you can do to make it secure. Anything you try will fall into a category called Security Through Obsecurity.

Your best bet is to encrypt your database and try to hide the key in some obscure place in your binary. Since this is an installed application, don't use Database servers. Just use a DB library like Postgres.

ZZ Coder  2009-08-14 04:39:32
A: 

There's a couple of options available to you, depending on your budget.

First, I have used SQL Server Compact Edition 3.5 with a .NET program for doing a local database that was encrypted. The good news was that the file was encrypted and could only be accessed if you had the password. The bad news of course is that your password will probably be in your connect string, unless you do something like a seeded PRNG to generate up the password for you. Also, SSCE requires that it be installed independent of your application -- if for any reason the user uninstalls it through Control Panel, your application won't run.

Second, I have also used a commercial product called VistaDB, and it also supports local database files that are encrypted. There are comparison features of VistaDB versus other database engines available on their website -- but another thing they offer is that they don't have a runtime that has to be preinstalled -- you just add another assembly to your distribution (they claim you can statically link it, but I haven't tried that personally). The local file on disk is also encrypted with VistaDB, and without the password you can't access the underlying database.

Good luck!

scwagner  2009-08-14 04:49:39

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?