How could I read/write specific string on my WPF application
It's must be internal and on my application
I have using
CredentialManager
, but I lose data of it during reboot
CredentialManager.WriteCredential("title", "user, "pass");
You want to write your data to a file or a database in order to be able to access them after a reboot.
In most of the cases you could simply use a FileStream and do your file read/writes. But from your example it looks like you're trying to save user credentials which is sensitive data, so should never be written/saved anywhere without proper security measures.
So using some sort of encryption algorithm is one good practice. .NET comes with its own basic Encrypt and Decrypt capabilities, but those are really basic. I don't know what level of security you'd want so it's really a judgement call on what to use.
If you prefer rather high level of encryption, this SO post has some good answers on how to go about it. Hope this helps.
Related
My situation is as follows:
I have to deploy a series of .NET desktop applications consisting of a file with encrypted data and an executable that will access that data and decrypt some parts of it in runtime.
What I need to achieve is that each data container should only be decryptable by that specific .exe it is provided with.
The first idea was to encrypt the data using, say, the hash value of the .exe file as a symmetric key and during decryption calculate the hash value of the .exe file in runtime and decrypt the parts of the data container with it.
However, the problem with that approach is that the user can easily look into the .NET assembly with ILSpy or any other decompiler and discover the whole encryption algorithm which will enable the user to decrypt all the data containers in my series of applications.
Another solution that comes to my mind is to make a small C native library (that is less easy to decomplile) that will perform some manipulations with the .exe assembly information and generate a key for decryption based on it (let's consider the user lazy enough so that he will not try to intercept the key from the memory).
But ideally I wouldn't like to resort to any languages other than C# because porting the application to other platforms with Mono will require additional effort (P/Invokes and so).
So my question is: is there a way I can encrypt the data so that only a certain application would be able to decrypt it?
Of course I understand that in case of a local application it is impossible to keep the data absolutely secure but I need to make the 'hacking' at least not worth the effort. Are there any reasonable solutions or I will have to stick to one of my ideas I described above?
Thank you in advance!
The simple answer is no.
To encrypt and decrypt data, you need an algorithm and, optionally, a secret or key. If a computer can execute the algorithm, someone else can learn what it is. Ignoring decompilation and disassembly, a user could just look at the instructions executed by the CPU and piece together the algorithm.
This leaves the secret. Unfortunately, if the computer or program can access or derive a secret, so can someone with root or administrator rights on that computer for the same reasons above.
However, maybe you are just thinking about the problem the wrong way. If you want the program to access data that no one else can, consider making that data available from a server that users must authenticate to access. Use SSL so data is protected in transit and encrypt the data locally using a key that only the local user and local administrators can access. It is not perfect but it is about the best you are going to get in the general case.
If you need more protection than that, you may want to consider hardware dongles but this gets expensive and complex quite quickly.
I need to store encryption/decryption keys for an encryption algorithm, on a public WPF application, available as free download to anyone.
Obviously, I would like to store these keys in secure way, so that the user may not see them.
As I see it, it's not possible, since it's very easy to decompile a .Net app, and obfuscating it doesn't do much. I can't think of a place to store these infos, that is either not user-accessible, or is "naturally" encrypted (like some kind of "Windows vault", but then the user could create an application pretending to be my own, wouldn't he?)
From the moment the user has access to the (compiled) code and the (clear) app.config, I don't see how I can store sensitive informations locally.
I saw plenty of help to encode connection strings and securing stuff on IIS, but none on WPF applications.
Is there any way to securely store arbitrary data with .Net/WPF?
Thanks!
Do not put it in the app - 'anyone' can get to it.
Store the secrets (private keys) in a certificate store so only processes with the appropriate rights will have access. Make installing the private keys part of a separate process/setup so admins can do that apart from installing the application and have the application search/query the certificate store
Simple: You do not.
NO way to do that ever has worked. None. Ever. All copy protections that get cracked within days are based on "hey, I can hide something".
You can safely store user specific data in the user's specific folders - and leave it to the OS to protect these places. But thinking you can hide encryption keys in your app - basically: you can hide them if noone smart looks at them (or: no dedicated hacker). This may work - but it is "relying on people not really wanting to find it".
As soon as information is stored on the user's machine, you have to assume he can access it; there's no way around it. The only option, if you want to make it impossible for the user to access the key, is to do the encryption on a remote server, but it's not always a viable option if the data to encrypt is large.
Lets say my program is an Anti-Virus.
Lets also say I have a file, called "Signatures.dat". It contains a list of viruses to scan.
I would like to encrypt that file in a way that it can be opened my by anti-virus on any computer but the users wont able to see the content of that file.
How would I accomplish that task ?
I was looking at thigs like DPAPI, but I dont think that would work in my case because it's based on User's setting. I need my solution to be universal.
I've got a method to encrypt it, but then I am not sure how to store the keys.
I know that storing it in my code is really unsecure, so I am really not sure what to do at this point.
You want the computers of the users to be able to read the file, and you want the computers of the users to be unable to read the file. As you see, this is a contradiction, and it cannot be solved.
What you are implementing is basically a DRM scheme. Short of using TPM (no, that doesn't work in reality, don't even think about it), you simply cannot make it secure. You can just use obfuscation to make it as difficult as possible to reverse-engineer it and retrieve the key. You can store parts of the key on a server and retrieve it online (basically doing what EA did with their games) etc., but you probably will only make your product difficult to use for legitimate users, and anyone who really wants to will still be able to get the key, and thus the file.
In your example are you trying to verify the integrity of the file (to ensure it hasn't been modified), or hide the contents?
If you are trying to hide the contents then as has been stated ultimately you can't.
If you want to verify the file hasn't been modified than you can do this via hashes. You don't appear to have confused the two use-cases but sometimes people assume you use encryption to ensure a file hasn't been tampered with.
Your best bet might be to use both methods - encrypt the file to deter casual browsers, but know that this is not really going to deter anyone with enough time. Then verify the hash of the file with your server (use https, and ensure you validate the certificates thumbprints). This will ensure the file hasn't been modified even if someone has cracked your encryption.
I've found a lot of answers for web applications, but none for winforms.
I want to store the user (id at least), the UI language in use and other general info that should last for the time a user is connected. Note: I'm developping a DLL.
So to summarize, I need to store the data while the application is open. When it's closed, all the infos can be disposed.
Possible solutions:
- Keep the information in a static class, but it's probably a bad practice.
- Create a class which has to be sent in parameter to whatever is called/instanciated in the DLL
- Create a class and find a way to make it reachable from other places in the DLL (I don't know any way to achieve that)
Note: I do not use Windows' Active Directory.
Note 2: I don't need to store sensitive data like the password
You can save your user data in an encrypted file. You would build an xml file then use synchronous encryption to save it. (Synchronous means you have a common key to decode it, which you could put in a static class). Search synchronous xml encryption c#
Beforehand :
I have read indeed the other topics on SO, but I can't find an answer in them.
(The others are about config-files, or a list of techniques)
My question thus is very simple, though a bit subjective (I'll label it beforehand :-)) what is the easiest way..
File.Encrypt is pretty simple - one call (with one parameter).
Of course, it really depends on what you want the encryption for. File.Encrypt encrypts to the current account, which isn't much use if you're passing the file around. But, given your spec - i.e. easiest way to encrypt a file - it has to be a candidate!
Data Protection API in C#
Don't believe you have any security just because you encrypt a config file. If someone has access to the encrypted config file, and your executable, containing the password, it's likely to be possible to decrypt your configfile. It's just a little harder.
And say your config file contains passwords to database connections, it might be possible to get those passwords looking at the network packets.
Encryption is trivial with modern libraries: the hard part is securing the key(s).
So you need to look at what you're trying to secure, and what threats you are trying to secure against.
To encrypt a file so only the current user can see it on a client workstation, File.Encrypt is a good choice, or DPAPI with the CurrentUser scope.
For a configuration file on a single server, DPAPI using the LocalMachine scope is a good choice. You then need to make sure only authorized users are able to log in to the server. Here you're essentially delegating key management to Windows.
For a configuration file on a server farm, you need to share the key between the servers. RsaProtectedConfigurationProvide is a good choice, but you have more work ensuring that all servers have access to the same key, and that it is protected against unauthorized access (e.g. using a DACL).
I recommend the Cryptography Application block in Enterprise Library. Very easy, very flexible.