I'm building a system that consists of many clients connecting to a server. The clients automatically push data to the server via a web service call. I've built an authentication mechanism in order for the clients to authenticate with the server so only authenticated clients can upload data. The problem is that I've hardcoded the password into the client code and it is accessible if someone uses a reflector. In this scenario, where I have no user input, what would be the best way to store the static password on the client? Thanks (.Net version on the client is 2.0 and the .net version on the server is 3.5)
+1
A:
You have a number of methods that you can use, but one of the easiest to implement would be to encrypt the password and then just store it in the app.config for the application that gets deployed to the user.
Mitchel Sellers
2009-12-14 16:04:00
Still the decryption mechanism would be visible via reflection, wouldn't it?
TomSharp
2010-01-31 16:16:52
A:
Have you looked at http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx?
Also, are your webservices WCF? If so, you could use mutual certificate security. It is much more robust than a password.
HTH
unclepaul84
2009-12-14 16:19:14
I have to have legacy support - so can't use anything fancy like that...
TomSharp
2010-01-31 16:19:58
A:
I would consider getting a good obfuscator for your code, for one thing. That will prevent (or at least deter) people from using reflector on your assemblies.
However, your authentication system doesn't sound too secure. Even if you did encrypt the password, if the password is always the same, it would be as easy as sniffing packets to figure out what needed to be sent to your server to authenticate. Because it would have to be decrypted before it was sent.
You'd have to go over an SSL at the very least.
Also you might want to look into using Asynchronous Encryption with Signed XML using a Machine Hash if you're installing this in some public client's environment. Something like a Licensing Scheme.
I don't know anything about your architecture or the environment you're running in, so I can't make any recommendation as to what would be the best security implementation, but I can tell you the current setup doesn't sound secure to me.
blesh
2009-12-14 16:25:19
Thanks, I'll go over SSL , already using Machine Hash and I'll look into licensing Schemes.
TomSharp
2010-01-31 16:21:05
A:
"I've built an authentication mechanism in order for the clients to authenticate with the server so only authenticated clients can upload data."
How are they authenticated to become "authenticated clients"?
Can someone just copy your application to their home computer and now they are an authenticated client?
This seems like a huge security oversight if you're trying to decide who can upload based on a value in your assembly.
If you can do IP based validation, if you want to avoid passwords and login mechanisms.
Aequitarum Custos
2009-12-14 16:38:30
It is a big problem - Anybody can just copy my application to their home computer and become an authenticated client. Right now, I'm using hardware Id to avoid this scenario. But it's still not secure enough.
TomSharp
2010-01-31 16:14:41