Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have an application which will be used by various users, when user will start using the application it will generate one license file(encrypted) at the location where it is getting installed, and for each time application runs it will decrypt the file, will validate all parameters and update few of them according to the result of validation and will encrypt the updated file.
Here is one real problem giving pain, that every time the application runs it needs encryption keys(AES) to encrypt and decrypt, and the key is hard-coded within my .NET dll. so there is a possibility that user can extract the key and change the license parameters to run the application.
So my concern is how to protect the file from being tampered?
Is there any way that i can put few of important license parameters some other location instead of keeping it in file?
How to keep the encryption keys secure and safe from fraudulent activities?
Application is in purely offline.
Kindly give me your valuable suggestion and insights.
Thanks in advance
Offline applications written in .net cannot be secured. You cannot reasonably "hide secrets" on someone elses machine. You need to provide a location that You control (i.e. a web service endpoint) to store these secrets. Every which way you look, at some point or other the user of your application has all your logic and all your data on their environment; you have given them the lock and the keys and are just hoping they dont have the persistence to open the lock with the key.
Alternatively, as suggested on another thread this week, you could code your file access logic and keys in VB6 and do an interop call to it - VB6 could be decompiled, but its tough. However someone could just pick up SysInternals and watch your file IO occuring and deduce which file or registry key your secrets are in. If its AES encrypted that will make it tough for them, but they will know which process is opening it ... so they now have a target for their efforts to decompile your code. It would be non-trivial to crack that, but I wouldn't call it secure either.
Only way to prevent a user accessing data on their own PC is to not put it on their PC.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm building a class library with bunch of methods. One of which is for creating File. I want to make it run only 'N' times and after that to throw exceptions that the limit exceeded. Is there any way to embed that 'N' in the dll or how should i store it to be secure from changing that number.
So far i've tried with static field in the class but the static field is reset everytime the application using that dll is run.
Any suggestions ?
The safest solution would be:
Have the local application collect all relevant local data needed to create the file.
Request the file to a web service that knows how to create it with the supplied data.
The server will verify that the user’s credentials allow him to create the file; he’s a valid registered user, has payed his dues and still has file creations to spare.
Create the file on the server side and allow the user to download it.
Anything running locally in your computer is susceptible to being cracked. Professional softwware and game industries have wasted millions in anti piracy devices and they’ve failed miserably, don’t expect to have any better luck.
All of this obviously has a significant cost. If the risk of your average user knowing how to circumvent a basic protection is small and the loss of profit of those few that would know how to decompile, modify and compile your application is tolerable, then who cares?
Moral of the story: stop thinking about safest and start thinking about safe enough. It’s almost always cheaper.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
What is the best solution to not have a password for a database connection string for example in a config file, or a mail account password to send mails automatically ?
Thanks
You may use encription, but the password has to be stored somewhere. If you're using SQL server, use Windows authentication instead
It doesn't matter where you save it, but I would save it somewhere inside the code (hardcoded) and then encrypt the password AND the user with (example) AESThenHMAC, which i personally like very much.
However, this method of encryption, needs a master key, which may be caught using a reflector.
To counter the reflector, you should obfuscate your code which makes your methods/variables/constants etc harder to read.
But, keep in mind that nothing is 100% secure, but this way you prevent the common curious from getting your credentials.
If someone really wants to get those credentials, and has the knowledge and access to the dll's, he may get it and you are only making him to waste more time.
Free obfuscation tools (.NET) (Source):
http://gapotchenko.com/
http://codefort.org/download
http://orangeheap.blogspot.nl
http://confuser.codeplex.com
http://ntoolbox.com
You can use a password manager such as Passwordstate (from https://www.clickstudios.com.au).
Your credentials are stored securely in an on-premises server, and you access them via a REST API. All that you have in your code is the information to access the REST API, and if you're paranoid about having even that in your code then you could encrypt it.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm developing an .NET MVC web app and using a google service account to create/delete calendar events on users personal calendars. I'm not sure what would be the best way to secure my google authentication key so that only my program has access to it. Currently it's just in the solution folder for testing purposes.
"Best" is subjective. All I can tell you are options:
Put it in the Web.config as an App Setting, and then encrypt your appSettings configuration section. This is probably the safest route, if not the most convenient.
Put it in your code. It's not uncommon for developers to create a static Settings class that holds various bits of information the application needs. However, this means it will be plain text in the source. That's really only a problem if you plan to open-source your code or otherwise store it some place that's accessible to others (and that includes malicious others that shouldn't actually be able to access it). For example, I'd recommend only putting the source on a TFS or Git server internally, behind a firewall, rather than something on the Internet or public-facing. Once the code is compiled, you obviously won't have it in plain text anymore. However, if someone gains access to the compiled code, they could still decompile it and potentially find the string. To protect against that, you could use any number of obfuscation programs out there.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am about to setup my first windows application which is built in C# Visual studio 2010 to my customer.
I want to limit usage to only one computer per installation, but I don't know how to do that.
Can anyone guide me on how I might accomplish this?
Typically this is managed by what's called a "product activation" system. When the customer installs your application, they must enter a serial number or key to "activate" it. If they don't do this, the application remains locked. When they activate your product, the system calls back into your server and says "Hey, this key has been used, and this is the machine it was used on. don't let anyone else use this key again."
http://en.wikipedia.org/wiki/Product_activation
You probably don't want to write this yourself, so there are many third party packages you can purchase to make it difficult for your client to install on multiple machines. There's a fine line though between alienating your client by treating them like a criminal, and trying to protect your hard work.
Pirates gonna pirate.
Encrypt the serial number of the hard-drive into your program. It must be saved to a DB of some kind. Name the field something obscure (not related to a HDD serial #). Then check that it matches every time the app is launched. Not super-high tech, not super-secure, but will work in most situatons. If someone copies the app to another PC, display a message not related to copying the app, but you will know what happened. I've been doing it for years in VB and .NET. Works fine.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
For C# in a winForms environment, I've licensed my classes by writing specifics to the regestry, encrypted.
Under Mono there are some facilities that are not available to you. The Registry is one of those. What method would you use to license your code under Mono?
I don't want a malicious user to be able to delete the application directory, to reset the trial timer or to copy a .LIC file and suddenly have access to the program.
Any ideas would be appreciated.
Any kind of encrypted certificate license ought to be at least as secure on Mono as it is on Windows. Deploy the app without the certificate. If it doesn't detect the certificate, its in 'reduced functionality' mode. If it does, then its in 'full mode'. Only issue certificate on purchase. For full-functionality-time-limited trials you run into a bigger problem, but at the end of the day, there was nothing stopping the user from messing with their registry, even to the extent of running your app in a VM or using System Restore liberally.
The registry is available to you using the standard .Net Registry classes. You can write your encrypted values there, and retrieve them later.
However, the registry on Linux is just a file in the user's home directory, so what you can't really do is modify it from outside Mono, like from a .msi (as an example, .msi's don't exist on Linux).
You could always encrypt a file based on the CPUID and store it in the directory. I am not sure how storing a file on the hard drive is different than storing something in the registr. A user could still find the registry key export / import it as needed. It would be restricted to that machine only if you use the CPUID or Motherboard information to encrypt the data with.