tags:

views:

47

answers:

3
+1  Q: 

Storing sensitive data in Silverlight

I have a Silverlight Business Application. I want to store the username and password that the user enters when logging into the system.

Does anyone have any pointers, tips etc on how I can securely store this data? I would like to store it encrypted but I'm not sure where I would store the password/salt, would it be secure to store this in the client code? I'm guessing it won't be because this is sent to the client.

I would normally use the Windows Data Protection API (DPAPI) to machine encrypt the data, is this possible in silverlight?

The app will be run in-browser using Silverlight 4.

Update

I validate the user on the server side. Currently I store the username and password encrypted on the server side. The reason I need them in the client side is when using the Perpetuum Report Viewer, in the case that the report contains sub-reports or has a drill-through then the user is prompted from their credentials. I don't want the user to need to enter their credentials again, the only way round this is to provide them on the client side.

+1  A: 

Storing that information is never safe on the client side. Silverlight can always be reversed enginered, you can make it hard to get it for users / hackers but it is never 100% safe.

Here is nice article about using AES algorithm to encrypt/decrypt data in Silverlight: http://www.davidezordan.net/blog/?p=202

Peter Kiers  2010-09-03 10:09:48
I realise it's never 100% safe, checking out the Davide Zordan article, looks promising.
Fermin  2010-09-03 10:50:33
A: 

Why you don't store sensible stuff on server side?

Silverlight assemblies can be reversed engineered or/and modified.

Let the user enter his password and send it encrypted to the Server Side. On Server Side you then check the password if it's correct.

There is no need to store password's in the silverlight control.

Ben  2010-09-03 10:23:33
See question update, I do validation on server side and store it there but need it client side to use with 3rd party control.
Fermin  2010-09-03 10:56:19
A: 

An alternative to storage might be to use LocalMessageSender and LocalMessageReceiver (some form of encryption might be prudent) to pass credentials between Silverlight application instances running from the same domain.

AnthonyWJones  2010-09-03 12:44:05
Do you suggest having a second Silverlight app running to store the data and passing back and forth to that?
Fermin  2010-09-03 13:54:41

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security