11

I need to store confidential passwords within the code. I cannot use Hashing techniques as the password itself is needed. How can I store these data securely within an app.config file?

Are there other ways I could accomplish this securely?

DPAPI and ProtectData Class is not an option because the keys are system specific eg:connection strings can't be stored this way for different end user systems.

Celeo
  • 5,583
  • 8
  • 39
  • 41
techno
  • 6,100
  • 16
  • 86
  • 192
  • 6
    How are the passwords 'needed'? It might be more practical to eliminate _that_ bug. – Grant Thomas Apr 10 '12 at 11:32
  • 2
    Why can't you store a hash instead? How are the passwords used? – Bali C Apr 10 '12 at 11:34
  • 2
    I have a good idea, Google Encrypt Configuration Settings... http://msdn.microsoft.com/en-us/library/ie/dtkwfdky.aspx – Lloyd Apr 10 '12 at 11:34
  • @Mr.Disappointment eg:database connection – techno Apr 10 '12 at 11:36
  • @Lloyd Thanks but im implementing a desktop app. – techno Apr 10 '12 at 11:40
  • @techno You can use ASP.Net configuration from a C# Desktop app! – Lloyd Apr 10 '12 at 11:47
  • 1
    If it is necessary to store password in app.config then make sure it is properly encrypted. Take alook at link [http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net](http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net) – SMK Apr 10 '12 at 11:33
  • @ShoaibMuhammadKhan The problem with the approach mentioned in your link is that there will be no secure way to store the sharedSecret. It is a good solution for encrypting string. But to encrypt configuration section, it is better to use DPAPI. Here is a wikipedia link for the same http://en.wikipedia.org/wiki/Data_Protection_API – Ramesh Apr 10 '12 at 12:52
  • @techno I don't understand your argument against DPAPI. – CodesInChaos Apr 15 '12 at 09:36
  • @CodeInChaos If iam right DPAPI Users Local Machine level or User Level System specific data for encryption.As my application is distributed to many users i cannot encrypt the database connection strings with my system specific password – techno Apr 15 '12 at 09:39

1 Answers1

10

You can use DPAPI (Data protection API) to encrypt certain section of your config files. Your code would still be using ConfigurationManager and decrypting will be taken of care by the framework. For more information on the same refer to this patterns and practices document How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Update

To encrypt or decrypt information from your code you could use ProtectedData.Protect & ProtectedData.Unprotect. This can be run as a part of custom action in your installer or when the user enters the credentials when using your application.

Sample Code

class SecureStringManager
{
    readonly Encoding _encoding = Encoding.Unicode;

    public string Unprotect(string encryptedString)
    {
        byte[] protectedData = Convert.FromBase64String(encryptedString);
        byte[] unprotectedData = ProtectedData.Unprotect(protectedData,
            null, DataProtectionScope.CurrentUser);

        return _encoding.GetString(unprotectedData);
    }

    public string Protect(string unprotectedString)
    {
        byte[] unprotectedData = _encoding.GetBytes(unprotectedString);
        byte[] protectedData = ProtectedData.Protect(unprotectedData, 
            null, DataProtectionScope.CurrentUser);

        return Convert.ToBase64String(protectedData);
    }
}
Ramesh
  • 13,043
  • 3
  • 52
  • 88
  • You are wrong, This method is usefull only for Web.config file.Since the DPAPI keys are system specific correct decryption will not be achieved in different systems of different end users – techno Apr 14 '12 at 01:05
  • 2
    @techno you should be running a custom installer action which would do the needful while installing or when the user enters the detail for first time. Updated my answer with Sample code. – Ramesh Apr 14 '12 at 04:30
  • This is not possible for connection strings – techno Apr 14 '12 at 04:32
  • 1
    @techno can you elaborate why it is not possible for connection strings? You can definitely encrypt it as a part of your installer custom action, provided you are using one. – Ramesh Apr 14 '12 at 04:45
  • You see anyway i have to store the connection string without encrypting in the installer before using the ProtectData Class. – techno Apr 14 '12 at 09:23
  • Yes. Or you could configure your SQL Serve for Integrated authentication and allow the identity of the currently logged in user. – Ramesh Apr 14 '12 at 09:47
  • 1
    @techno the other way to send the information encrypted with your application is to encrypt it with a hard coded secret. A person with knowledge of reverse engineering can easily get the Secret with which you encrypted and decrypt the information. Hence the logical choice is to use the Integrated authentication. – Ramesh Apr 16 '12 at 05:13