Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm developing an .NET MVC web app and using a google service account to create/delete calendar events on users personal calendars. I'm not sure what would be the best way to secure my google authentication key so that only my program has access to it. Currently it's just in the solution folder for testing purposes.
"Best" is subjective. All I can tell you are options:
Put it in the Web.config as an App Setting, and then encrypt your appSettings configuration section. This is probably the safest route, if not the most convenient.
Put it in your code. It's not uncommon for developers to create a static Settings class that holds various bits of information the application needs. However, this means it will be plain text in the source. That's really only a problem if you plan to open-source your code or otherwise store it some place that's accessible to others (and that includes malicious others that shouldn't actually be able to access it). For example, I'd recommend only putting the source on a TFS or Git server internally, behind a firewall, rather than something on the Internet or public-facing. Once the code is compiled, you obviously won't have it in plain text anymore. However, if someone gains access to the compiled code, they could still decompile it and potentially find the string. To protect against that, you could use any number of obfuscation programs out there.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm in a situation where I do not have the option to connect directly to a database (the typical ConnectionString and DBContext way), but instead, I'm forced to use a RESTful API to get and post data from, and to the database.
I difficult to explain, so here's a tiny architectural graph instead.
Easy to see, the web application can talk with the REST API, but it CANNOT connect directly to the database
PROBLEM
I'd love to use the built-in authentication system that ASP.NET Identity provides, but I'm going in completely blind. I have not been able to find any examples with REST API calls to get users, roles, etc.
I hope that some of you might be able to lend a hand. The architecture is as it is, and it's out of my hands to change it.
My team is currently using a similar system. Our solution was to use Authentication Forms, which we found easy to setup using this article. Granted it is a bit outdated, but it works for what we wanted to accomplish with a small amount of time.
Sorry, I know Its not much, but it was a very easy tutorial to follow. Feel free to ask for any more examples as you work through it!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
What is the best solution to not have a password for a database connection string for example in a config file, or a mail account password to send mails automatically ?
Thanks
You may use encription, but the password has to be stored somewhere. If you're using SQL server, use Windows authentication instead
It doesn't matter where you save it, but I would save it somewhere inside the code (hardcoded) and then encrypt the password AND the user with (example) AESThenHMAC, which i personally like very much.
However, this method of encryption, needs a master key, which may be caught using a reflector.
To counter the reflector, you should obfuscate your code which makes your methods/variables/constants etc harder to read.
But, keep in mind that nothing is 100% secure, but this way you prevent the common curious from getting your credentials.
If someone really wants to get those credentials, and has the knowledge and access to the dll's, he may get it and you are only making him to waste more time.
Free obfuscation tools (.NET) (Source):
http://gapotchenko.com/
http://codefort.org/download
http://orangeheap.blogspot.nl
http://confuser.codeplex.com
http://ntoolbox.com
You can use a password manager such as Passwordstate (from https://www.clickstudios.com.au).
Your credentials are stored securely in an on-premises server, and you access them via a REST API. All that you have in your code is the information to access the REST API, and if you're paranoid about having even that in your code then you could encrypt it.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
Referring to this question that's already been answer:
"What is the best local-database solution for WPF applications?"
What is currently my best choice of local database for my program? Currently I am using XML that is automatically created on the computer when the user run my executable for the first time or when the XML is missing.
I am perfectly fine on using XMLs, users of my application would not be required to install any software other than my application and I can do exactly with it, but my problem is with searching.
My application includes a database (the XML) of all their songs in their music library, and of course each track has its own information and search through each track is really slow! since it's a music library, one user can have at least 1000 tracks or more and searching through it is really really terrible.
I am familiar on using SQL database, (i don't know the proper term for it) but one for online database, I use XAMPP and read the database on a website on PHP. And i really like it. So..
Basically, I am looking for a good local-database solution, where user's won't to download and install any other software (but I am okay, if i would have to include a certain dll to my exe in other to run), and also one that is lightweight and fast in terms of searching.
Yes, i've read the included related question as many times as i could for me to understand it myself but i hope someone can explain the advantages and disad of each of them.
No, i am not looking for one that needs to have a server or something in order for it to work
Previous suggestion is correct SQLite will be your best option because WPF operates .NET Framework. It also supports ODBC driver as i recall
I was going to just comment but can't quite yet.
I wouldn't say there's necessarily a 'best' in most cases. In general whatever you go with is unlikely to be that bad of a choice..
Having said that, I could suggest SQLite as an option for you. Lightweight, very fast, certainly good for strictly local-database options.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have an application which will be used by various users, when user will start using the application it will generate one license file(encrypted) at the location where it is getting installed, and for each time application runs it will decrypt the file, will validate all parameters and update few of them according to the result of validation and will encrypt the updated file.
Here is one real problem giving pain, that every time the application runs it needs encryption keys(AES) to encrypt and decrypt, and the key is hard-coded within my .NET dll. so there is a possibility that user can extract the key and change the license parameters to run the application.
So my concern is how to protect the file from being tampered?
Is there any way that i can put few of important license parameters some other location instead of keeping it in file?
How to keep the encryption keys secure and safe from fraudulent activities?
Application is in purely offline.
Kindly give me your valuable suggestion and insights.
Thanks in advance
Offline applications written in .net cannot be secured. You cannot reasonably "hide secrets" on someone elses machine. You need to provide a location that You control (i.e. a web service endpoint) to store these secrets. Every which way you look, at some point or other the user of your application has all your logic and all your data on their environment; you have given them the lock and the keys and are just hoping they dont have the persistence to open the lock with the key.
Alternatively, as suggested on another thread this week, you could code your file access logic and keys in VB6 and do an interop call to it - VB6 could be decompiled, but its tough. However someone could just pick up SysInternals and watch your file IO occuring and deduce which file or registry key your secrets are in. If its AES encrypted that will make it tough for them, but they will know which process is opening it ... so they now have a target for their efforts to decompile your code. It would be non-trivial to crack that, but I wouldn't call it secure either.
Only way to prevent a user accessing data on their own PC is to not put it on their PC.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm building an application in C# that will use 'databases', but I want to be able to access the content of the 'database'/file in as many programming languages. The 'database' basically needs to be like a dictionary (it isn't one though), so like word=meaning, and I don't mind too much if a user can openly edit that.
However, there's a few things I want to store in the database that the user should not be able to edit. For example, I would like to store a unique key that the application will analyse and compare. I'd also like to add an 'isEditable' property that tells the application whether or not it can change the database, but this is not essential.
Do you have any suggestions on how I could store this information? I thought about XML because I could just hash the unique key, but I don't think it would be suitable for the word=meaning part.
Well, there are plenty of options. You can use a traditional database, and restrict user privileges. That way, the users can't edit anything (or can only do what ever permissions you grant them). If this needs to be deployed with your application, you can use a compact DB, like Sqlite or SQL Server Compact. There are ways to encrypt the entire DB file or to password protect them, so that would prevent your users from editing them. Sqlite has providers for many languages.
You could try a non-traditional database, like a MongoDB or db4objects. The latter uses a type of binary serialization so that you can persist your code objects to disk. Again, not easily user-editable. You could just persist your collection. With the former, you'll be closer to your goal of key=value pairs, because you don't have to have a defined schema for either of these options.
An XML file could work, provided you encrypted it, if your goal is to make it non-user-editable.