views:

47

answers:

3

I have a Silverlight Business Application. I want to store the username and password that the user enters when logging into the system.

Does anyone have any pointers, tips etc on how I can securely store this data? I would like to store it encrypted but I'm not sure where I would store the password/salt, would it be secure to store this in the client code? I'm guessing it won't be because this is sent to the client.

I would normally use the Windows Data Protection API (DPAPI) to machine encrypt the data, is this possible in silverlight?

The app will be run in-browser using Silverlight 4.

Update

I validate the user on the server side. Currently I store the username and password encrypted on the server side. The reason I need them in the client side is when using the Perpetuum Report Viewer, in the case that the report contains sub-reports or has a drill-through then the user is prompted from their credentials. I don't want the user to need to enter their credentials again, the only way round this is to provide them on the client side.

+1  A: 

Storing that information is never safe on the client side. Silverlight can always be reversed enginered, you can make it hard to get it for users / hackers but it is never 100% safe.

Here is nice article about using AES algorithm to encrypt/decrypt data in Silverlight: http://www.davidezordan.net/blog/?p=202

Peter Kiers
I realise it's never 100% safe, checking out the Davide Zordan article, looks promising.
Fermin
A: 

Why you don't store sensible stuff on server side?

Silverlight assemblies can be reversed engineered or/and modified.

Let the user enter his password and send it encrypted to the Server Side. On Server Side you then check the password if it's correct.

There is no need to store password's in the silverlight control.

Ben
See question update, I do validation on server side and store it there but need it client side to use with 3rd party control.
Fermin
A: 

An alternative to storage might be to use LocalMessageSender and LocalMessageReceiver (some form of encryption might be prudent) to pass credentials between Silverlight application instances running from the same domain.

AnthonyWJones
Do you suggest having a second Silverlight app running to store the data and passing back and forth to that?
Fermin