I have model like below:
public class User
{
private string password;
public string Password
{
get { return Decrypt(password); }
set { password = Encrypt(value); }
}
}
I want from user code to use just insert and select password easily and see in clear text and want the logic layer to handle the encryption and decryption.
But when selecting, EF will set the value again so the encrypted password gotten from database will be encrypted again for me to get from the client code which is a problem. I also cannot distinguish between an Insert and Select to set conditionals.
I can very well do this:
//Insert
user.Password = Encrypt("123"); //Encrypt or Hash does not matter
context.Users.Add(user);
//Select
var hashedpassword = context.Users.Find(1).Select(u => u.Password).Single();
var unhashed = Decrypt(hashedpassword);
Instead I would like it not to be apparent from client code:
//Insert
user.Password = "123"; //Inserts encrypted password in database
context.Users.Add(user);
//Select
var cleartextpassword = context.Users.Find(1).Select(u => u.Password).Single();
Hope I was able to explain the problem and someone can point me to the right direction. If it is even possible or not.
The better solution is indeed to use a Hash.
But a general pattern for injecting some logic:
public class User
{
// the mapped-to-column property
protected virtual string PasswordStored
{
get ;
set ;
}
[NotMapped]
public string Password
{
get { return Decrypt(PasswordStored); }
set { PasswordStored = Encrypt(value); }
}
}
Instead of [NotMapped] you can also use the fluent API to keep EF from storing it directly.
Read and write your entities only from a repository, i.e., through a data access class that you write:
var myEntities = userRepository.GetUserById(id);
then your GetUserById() method can perform the decryption in-place. Then when you do
userRepository.UpdateUser(myUser);
you can encrypt the field again in the UpdateUser() method.
Please find following method which will get you a password hash:
public static string GetPasswordHash(this string password)
{
using (var sha1 = new SHA1Managed())
{
var hash = Encoding.UTF8.GetBytes(password);
var generatedHash = sha1.ComputeHash(hash);
var generatedHashString = Convert.ToBase64String(generatedHash);
return generatedHashString;
}
}
Related
I wondering how I can implement this solution on my desktop application to prevent users check config file and increase some local security.
I've created a security class with this 2 methods Not a sophisticated mechanism, but a very basic one:
string Encrypt(string source, string key)
{
using (TripleDESCryptoServiceProvider tripleDESCryptoService = new TripleDESCryptoServiceProvider())
{
using (MD5CryptoServiceProvider hashMD5Provider = new MD5CryptoServiceProvider())
{
byte[] byteHash = hashMD5Provider.ComputeHash(Encoding.UTF8.GetBytes(key));
tripleDESCryptoService.Key = byteHash;
tripleDESCryptoService.Mode = CipherMode.ECB;
byte[] data = Encoding.UTF8.GetBytes(source);
return Convert.ToBase64String(tripleDESCryptoService.CreateEncryptor().TransformFinalBlock(data, 0, data.Length));
}
}
}
string Decrypt(string encrypt, string key)
{
using (TripleDESCryptoServiceProvider tripleDESCryptoService = new TripleDESCryptoServiceProvider())
{
using (MD5CryptoServiceProvider hashMD5Provider = new MD5CryptoServiceProvider())
{
byte[] byteHash = hashMD5Provider.ComputeHash(Encoding.UTF8.GetBytes(key));
tripleDESCryptoService.Key = byteHash;
tripleDESCryptoService.Mode = CipherMode.ECB;
byte[] data = Convert.FromBase64String(encrypt);
return Encoding.UTF8.GetString(tripleDESCryptoService.CreateDecryptor().TransformFinalBlock(data, 0, data.Length));
}
}
}
and created a AppSettings class to get and save the connection string:
public class AppSettings
{
Configuration config;
public AppSettings()
{
config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
}
public string GetConnectionString(string key)
{
return config.ConnectionStrings.ConnectionStrings[key].ConnectionString;
}
public void SaveConnectionString(string key, string value)
{
config.ConnectionStrings.ConnectionStrings[key].ConnectionString = value;
config.ConnectionStrings.ConnectionStrings[key].ProviderName = "System.Data.EntityClient";
config.Save(ConfigurationSaveMode.Modified);
}
}
Now, I want to implement this method and save the encrypted connection string and read decrypted using the entity framework, but not sure how to do this.
public AnnualTaxDBEntities(): base("name=AnnualTaxDBEntities")
{
}
I am new in c# so, Understanding is welcome.
Add a new constructor that passes the connection string:
public AnnualTaxDBEntities(String connectionString): base(connectionString)
{
}
You should then simply pass the connection string into the constructor:
var connectionString = appSettings.GetConnectionString(key);
var dataContext = AnnualTaxDBEntities(connectionString);
Although note that this will not prevent any semi-competent person from seeing your connection string, it will also still be visible in the source - you should use a proper external method of secret initialization if your connection string contains sensitive data such as a credential. Or better yet, use integrated security and don't store sensitive data in the connection string in the first place.
One approach would be to use External Config Files and a Protected Configuration Provider see here
This will allow you to specify your connection strings outside of the app.config file that you deploy with your app and encrypt the content of that file
I have a Xamarin.iOS application that requires users to log-in in order to view content. I have two text fields, one for username and one for password. Once a user has logged in and the API has returned success. how can I save the users credentials so when they launch the app they get signed in automatically?
I tried this, however, I don't know how to retrieve the values or re-save credentials if user logs out
void StoreKeysInKeychain(string key, string value)
{
var s = new SecRecord(SecKind.GenericPassword)
{
ValueData = NSData.FromString(value),
Generic = NSData.FromString(key)
};
var err = SecKeyChain.Add(s);
}
Thanks.
You can install this plugin and all of the work is already done for you: https://github.com/sameerkapps/SecureStorage, nuget: https://www.nuget.org/packages/sameerIOTApps.Plugin.SecureStorage/.
If you use the plugin it is as simple as:
CrossSecureStorage.Current.SetValue("SessionToken", "1234567890");
var sessionToken = CrossSecureStorage.Current.GetValue ("SessionToken");
If you don't want to use it, then look into github repo and see how they did it for iOS:
https://github.com/sameerkapps/SecureStorage/blob/master/SecureStorage/Plugin.SecureStorage.iOSUnified/SecureStorageImplementation.cs
public override string GetValue(string key, string defaultValue)
{
SecStatusCode ssc;
var found = GetRecord(key, out ssc);
if (ssc == SecStatusCode.Success)
{
return found.ValueData.ToString();
}
return defaultValue;
}
private SecRecord GetRecord(string key, out SecStatusCode ssc)
{
var sr = new SecRecord(SecKind.GenericPassword);
sr.Account = key;
return SecKeyChain.QueryAsRecord(sr, out ssc);
}
Better to use iOS default NSUserDefaults.StandardUserDefaults to store your credentials.
Check for stored value in Login ViewController, if it doesn't exist then after successful login set the user name and password to "GetStoredCredentials" else fetch the saved credentials and use.
public String GetStoredCredentials
{
get {
string value = NSUserDefaults.StandardUserDefaults.StringForKey("Key");
if (value == null)
return "";
else
return value;
}
set {
NSUserDefaults.StandardUserDefaults.SetString(value.ToString (), "Key");
NSUserDefaults.StandardUserDefaults.Synchronize ();
}
}
Either you can save as string array or comma seperated value.
Let me know for any further assistance.
For your refrence : https://developer.xamarin.com/guides/ios/application_fundamentals/user-defaults/
Currently, I'm sending some data to Parse.com. All works well, however, I would like to add a row if it's a new user or update the current table if it's an old user.
So what I need to do is check if the current Facebook ID (the key I'm using) shows up anywhere in the fbid column, then update it if case may be.
How can I check if the key exists in the column?
Also, I'm using C#/Unity.
static void sendToParse()
{
ParseObject currentUser = new ParseObject("Game");
currentUser["name"] = fbname;
currentUser["email"] = fbemail;
currentUser["fbid"] = FB.UserId;
Task saveTask = currentUser.SaveAsync();
Debug.LogError("Sent to Parse");
}
Okay, I figured it out.
First, I check which if there is any Facebook ID in the table that matches the current ID, then get the number of matches.
public static void getObjectID()
{
var query = ParseObject.GetQuery("IdealStunts")
.WhereEqualTo("fbid", FB.UserId);
query.FirstAsync().ContinueWith(t =>
{
ParseObject obj = t.Result;
objectID = obj.ObjectId;
Debug.LogError(objectID);
});
}
If there is any key matching the current Facebook ID, don't do anything. If there aren't, just add a new user.
public static void sendToParse()
{
if (count != 0)
{
Debug.LogError("Already exists");
}
else
{
ParseObject currentUser = new ParseObject("IdealStunts");
currentUser["name"] = fbname;
currentUser["email"] = fbemail;
currentUser["fbid"] = FB.UserId;
Task saveTask = currentUser.SaveAsync();
Debug.LogError("New User");
}
}
You will have to do a StartCoroutine for sendToParse, so getObjectID has time to look through the table.
It may be a crappy implementation, but it works.
What you need to do is create a query for the fbid. If the query returns an object, you update it. If not, you create a new.
I'm not proficient with C#, but here is an example in Objective-C:
PFQuery *query = [PFQuery queryWithClassName:#"Yourclass]; // Name of your class in Parse
query.cachePolicy = kPFCachePolicyNetworkOnly;
[query whereKey:#"fbid" equalTo:theFBid]; // Variable containing the fb id
NSArray *users = [query findObjects];
self.currentFacebookUser = [users lastObject]; // Array should contain only 1 object
if (self.currentFacebookUser) { // Might have to test for NULL, but probably not
// Update the object and save it
} else {
// Create a new object
}
I have a simple data layer routine that performs a password update, the user passes in the following:
Current Password, New Password, Confirm New Password.
In my data layer (proc) checks a couple things such as:
Is the current password correct?
Is the new password and confirm password correct?
Has the new password been assigned in the past?
And so on...
Now I know I can simply create a class and returned a couple booleans:
public class UpdatePasswordResponse{
public bool CurrentPasswordCorrect {get;set;}
....(and so on)
}
But is there a way I can dynamically return that information to the biz layer in properties instead of creating a new class everytime (for every data layer routine)? I seem to remember thinking this was possible. I am pretty sure I read it somewhere but don't remember the syntax, can someone help me?
You can do this in .NET 4 with the use of the dynamic keyword.
The class you will want to return would be an ExpandoObject.
Basically, follow this pattern:
public object GetDynamicObject()
{
dynamic obj = new ExpandoObject();
obj.DynamicProperty1 = "hello world";
obj.DynamicProperty2 = 123;
return obj;
}
// elsewhere in your code:
dynamic myObj = GetDynamicObject();
string hello = myObj.DynamicProperty1;
If you just want to dynamically create a class you write:
public object MyMethod()
{
var result = new { Username = "my name", Password = "the password" };
return result;
}
I've been following this tutorial on how to create an OData service.
http://www.hanselman.com/blog/CreatingAnODataAPIForStackOverflowIncludingXMLAndJSONIn30Minutes.aspx
And it works flawlessly ... but, in the Entity Data Model Wizard, when it asks you to "Choose Your Data Connection" it gives you this warning.
"This connection string appears to contain sensitive data (for example, a password) that is required to connect to the database. Storing sensitive data in the connection string can be a security risk. Do you want to include this sensitive data in the connection string?"
If I choose: "No, exclude sensitive data from the connection string. I will set it in my application code."
I do not see where I can, "in my application code" insert the password. (My company stores them encrypted in the registry)
Plus, I have multiple DBs that I need to connect to, depending on the environment (Dev, CA, or Prod) and I need to know what DB is referenced in the connection string to get the correct password.
Thanks.
When you create your context, you can set a connection string. To build this connection string, you can parse the connection string without the password with an EntityConnectionStringBuilder and then parse the inner connection string with an other ConnectionStringBuilder, depending on your browser. Then you can set the password and pass it to the constructor.
var originalConnectionString = ConfigurationManager.ConnectionStrings["your_connection_string"].ConnectionString;
var entityBuilder = new EntityConnectionStringBuilder(originalConnectionString);
var factory = DbProviderFactories.GetFactory(entityBuilder.Provider);
var providerBuilder = factory.CreateConnectionStringBuilder();
providerBuilder.ConnectionString = entityBuilder.ProviderConnectionString;
providerBuilder.Add("Password", "Password123");
entityBuilder.ProviderConnectionString = providerBuilder.ToString();
using (var context = new YourContext(entityBuilder.ToString()))
{
// TODO
}
I added a "dummy" password in the configuration file ("XXXXX"), then replaced that value with the real password in the entity constructor
public MyDatabaseContainer() : base("name=MyDatabaseContainer")
{
Database.Connection.ConnectionString = Database.Connection.ConnectionString.Replace("XXXXX","realpwd");
}
Modify the constructor of the entities
public sampleDBEntities() : base("name=sampleDBEntities")
{
this.Database.Connection.ConnectionString = #"Data Source=.\;Initial Catalog=sampleDB;Persist Security Info=True;User ID=sa;Password=Password123"; ;
}
My sample application was written in "Database First" mode and the "CreateNewConnectionString" method below works just fine (though it doesn't look all that elegant.)
The "CreateNewConnectionString2" method looks really elegant, BUT causes an exception telling me it's only valid in "Code First" mode.
So I'm providing both methods along with the constructor I modified to use my methods. NOTE AND BEWARE, I've modified code generated by a template and that is subject to being overwritten if the code is regenerated. To me it seems like the right place to put it.
If your application was generated in "Code First" mode, you may need to use "CreateNewConnectionString2" (I have not yet tested this option.)
I hasten to admit that I copied both code blocs from other postings as I don't yet know nearly enough about all this to write my own code.
private static string CreateNewConnectionString(string connectionName, string password)
{
var config = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration("~").ConnectionStrings.ConnectionStrings[connectionName];
//or:
//var config = ConfigurationManager.ConnectionStrings[connectionName];
var split = config.ConnectionString.Split(Convert.ToChar(";"));
var sb = new System.Text.StringBuilder();
for (var i = 0; i <= (split.Length - 1); i++)
{
if (split[i].ToLower().Contains("user id"))
{
split[i] += ";Password=" + password;
}
if (i < (split.Length - 1))
{
sb.AppendFormat("{0};", split[i]);
}
else
{
sb.Append(split[i]);
}
}
return sb.ToString();
}
private static string CreateNewConnectionString2(string connectionName, string password)
{
var originalConnectionString = ConfigurationManager.ConnectionStrings[connectionName].ConnectionString;
var entityBuilder = new EntityConnectionStringBuilder(originalConnectionString);
var factory = DbProviderFactories.GetFactory(entityBuilder.Provider);
var providerBuilder = factory.CreateConnectionStringBuilder();
providerBuilder.ConnectionString = entityBuilder.ProviderConnectionString;
providerBuilder.Add("Password", password);
entityBuilder.ProviderConnectionString = providerBuilder.ToString();
return entityBuilder.ProviderConnectionString;
}
public ChineseStudyEntities()
: base(CreateNewConnectionString("ChineseStudyEntities", "put YOUR password here")) // base("name=ChineseStudyEntities")
{
}