Okay so i have this C# application that connects to a database has the login and all that stuff but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like?
How can i protect myself from that? And even if i could protect my connection string how could i protect my acctual code?
You should never store critical information in your assemblies, exactly for this reason. There are numerous ways to obfuscate the information but they only delay the inevitable.
Remember: Security by obscurity is not safe
Access the data on a server-side application and pass it to an authenticated client instead.
Restrict the Database User Account to the minimal required rights (if you only need to read information - make sure it doesn't have write access, etc.)
but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like? How can i protect myself from that?
That's a shame, isn't it ? There are only a few things you can do for that :
Use a VPS ($$) and store the login part of your code online. You can, for that secificly, use LiteCode, and here is a tutorial : https://github.com/debug-hf/LiteCode-Example/
Use an obfuscator to avoid decompilers and hackers to look at your code. The best so far is http://netguard.io . It includes free plans and all the premium plans are fully secured. All your strings are scrambled, melted, stored secretly in the file. Famous deobfuscator, such a De4Dot cannot handle it even if it handles more or less every obfuscators on the market !
Hope it helps :) Cheers
Connection strings can be encrypted in the config file
Connection Strings and Configuration Files
However, you cannot truly protect your code from people wishing to view what it does, you can only make it harder by obfuscation.
I would add that a proper security model could restrict access to both the physical files, and the database 'data', but that does depend on your deployment model.
You should store your connection string in your app.config or web.config file.
Related
I have a WinForms application which reads data from a sensitive file and performs calculations using that data. In order to keep the sensitive information from people's PCs, we decided to move the calculations to a web service, where the file will hide in a protected folder and only is accessible by the web service program itself.
Due to some complications it looks like it may not be possible to secure the server space in the required timeframe, so what we are now looking to do is use encryption to protect the file so that it can be safely distributed to people's PCs.
My question is this. Is is possible to encrypt a file (once, so a pre-encrypted file will be attached to the project) and then decrypt the file for use by the application without revealing
The sensitive information inside the file
The Encryption key used to decrypt the file
I know it is possible to generate source code from a .exe file so I would be looking for a solution that bears this in mind. I am new to this kind of app development so please excuse me if this is a stupid question and that what I am trying to do is not actually possible.
Cheers
No, it is not possible, you can only make it hard to do those two things. You can not make it impossible. All you can do is just make it hard enough it is not worth the effort to try, and that takes money to do (via specialized obfuscation software and paying experts in the field to look at your code and make it more secure)
I have a class for encryption and decryption of Password from database. I have a secret key in config and a salt in my code.
If someone get access to dll and database then he can decrypt my data by importing dll to his application.
Is there something to protect calling method outside of dll
Ideally, you shouldn't store passwords within your code, as decompilation is fairly easy.
The best option is to store this information in a secure location, and ideally only store hashes of the information.
That being said, there are various options you can do to help protect yourself.
One option is obfuscation, but this still only makes it more difficult, but not impossible, to discover your information. Some obfuscators are better than others, and will "break" most decompilation tools. That being said, as long as the computer can figure it out, a talented individual can as well.
I heartily recommend using the DPAPI for encrypting your app or web.config. It will help to ensure that the only way to decrypt that config is by doing so in your environment, simple file access is not enough.
http://msdn.microsoft.com/en-us/library/ms995355.aspx
I just saw this article Hiding Important Data
I'm thinking to use app.config for protecting my FTP connection string as it's stated in the link above but I'm wondering whether It's really impossible or not for someone to discover the ftp connection string somehow, by de-compiling, or by using other reverse engineering tools
The data contained in the software is very sensitive and shouldn't be shared with users, Could someone please help me whether I'm in the right way ?
If you store a value in your App.Config then that value is not hard-coded or otherwise stored in any compiled code - it's read from your config files at runtime. As such, it cannot be retrieved directly by decompiling, though there is always the possibility that your application could be recompiled to spit out a string post-decryption or similar. Obviously, config values are easily accessible to anyone who has access to your application server because they can simply read your App.Config. That is, of course, unless it's encrypted as suggested in the answers to the question you've linked.
The question about storing connection string in safest way.
My current approach (Don't laugh)
1. Wrote RSAEncryption program and passed connection string to generate cypher.
2. Stored Cypher and private key in Resource file
3. Runtime retrieved encryption file again.
My concern of using config file
- I am creating library so projects who will use my dll will need to copy my config file which I dont want
Please tell me best practice to store connection string inside the dll.
Regards,
Omkar
There is a built in mechanism in .NET to encrypt sections of config. The beauty is you can use DPAPI and have the machine itself create the key, so nobody knows what it is except Windows. The best thing is you get this pretty much for free (small learning curve) and the learning curve is easily handled with a quick Google search on encrypting configuration files. May not fit all scenarios, but it is more likely to be secure than a quickly envisioned alternative.
The only issue here is if this is shrinkwrap ware (ie, you are selling software), but there are ways to handle that by having the install require network and adding the bits they can't know while you encrypt only go into memory during install. :-)
Beforehand :
I have read indeed the other topics on SO, but I can't find an answer in them.
(The others are about config-files, or a list of techniques)
My question thus is very simple, though a bit subjective (I'll label it beforehand :-)) what is the easiest way..
File.Encrypt is pretty simple - one call (with one parameter).
Of course, it really depends on what you want the encryption for. File.Encrypt encrypts to the current account, which isn't much use if you're passing the file around. But, given your spec - i.e. easiest way to encrypt a file - it has to be a candidate!
Data Protection API in C#
Don't believe you have any security just because you encrypt a config file. If someone has access to the encrypted config file, and your executable, containing the password, it's likely to be possible to decrypt your configfile. It's just a little harder.
And say your config file contains passwords to database connections, it might be possible to get those passwords looking at the network packets.
Encryption is trivial with modern libraries: the hard part is securing the key(s).
So you need to look at what you're trying to secure, and what threats you are trying to secure against.
To encrypt a file so only the current user can see it on a client workstation, File.Encrypt is a good choice, or DPAPI with the CurrentUser scope.
For a configuration file on a single server, DPAPI using the LocalMachine scope is a good choice. You then need to make sure only authorized users are able to log in to the server. Here you're essentially delegating key management to Windows.
For a configuration file on a server farm, you need to share the key between the servers. RsaProtectedConfigurationProvide is a good choice, but you have more work ensuring that all servers have access to the same key, and that it is protected against unauthorized access (e.g. using a DACL).
I recommend the Cryptography Application block in Enterprise Library. Very easy, very flexible.