1

I want to write a program to maintain some important information for me , but i don't want to use sql as database because it is very important for me that no one can access the data , i want to save my data in a file and i want to use a password to protect my file like password in winrar software and then can access the data just in my program, can anyone give me an idea ? Thank u all :)

Minoo
  • 13
  • 3

2 Answers2

3

Why not encrypt the file using AES? Here is a great tutorial for C# and Rinjdael/AES encyption and decryption of files.

EDIT:

But as mentioned in another answer SQL does provide password protection for its databases, would that not be the exact same thing you want to do (except you will be re-inventing the wheel)

David Kroukamp
  • 36,155
  • 13
  • 81
  • 138
  • Thank u 'DavidKroukamp' but i want to khow if there is some other way , because encription is reversible and can be decripted , but i want to haveing a valid password be the only way to access my data , Is it possible ?? :( – Minoo Jul 22 '12 at 17:57
  • 1
    For decryption you need a valid key (or password as you wish) – huysentruitw Jul 22 '12 at 18:02
  • 1
    @Minoo Yes, encryption is reversable, and it needs to be otherwise you'll lose the data you encrypt. Hashing is a one way algorithm, but you'll not be able to recover the data ever. If you really want to write data that can never been decrypted, might as well send it to the bit bucket (NUL). Otherwise, encrypting with a password is what you want to do. – Andy Jul 22 '12 at 18:02
  • @Minoo Read up about [AES](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) especially AES 256bit. Yes all encryptions are reversible, but it is the time it takes to reverse it that counts, under current hardware standards it would take years (if the attackers are lucky) or decades to crack/bruteforce. An exert from wikipedia: "AES has been adopted by the U.S. government and is now used worldwide" and another: " As in previous techniques, the latest attack techniques on AES-192 and AES-256 algorithms are impractical outside of a theoretical setting." – David Kroukamp Jul 22 '12 at 18:04
  • I heat that there is some softwares like 'disSharp' that change back my dll files to code , if there is , some can use these softwares to access my code and find the key that i used to encrypt my data , is it wrong ? if it's impossible to find out my key this way , your right , i should use encryption – Minoo Jul 22 '12 at 18:10
  • @ DavidKroukamp , :D :D please excuse me for my bad english :D :D my english is not good – Minoo Jul 22 '12 at 18:10
  • @Minoo no it is not safe to store passwords in the source code, as it can be dissambled by the likes of Reflector and ildasm to name a few. And dont worry I can read what you mean just fine – David Kroukamp Jul 22 '12 at 18:14
  • So , where should i store password ? all examples that i see to use encryption used key as a text in their method that can be read easily ? :-? – Minoo Jul 22 '12 at 18:21
  • @Minoo the safest place to store a password is in a humans memory. Jokes aside. It depends, how many people will be accessing the file? If its just you then the best would be to have the application prompt for a password for encrypting/decrypting the data. – David Kroukamp Jul 22 '12 at 18:28
  • I didn't undrestand , If i want to use encryption and decription for my data (in file or DB) I should use a key for that , beacause my information is not static and i want to add new data in my software and they should encrypt too , so i should define a method for encription and decription and it needs a static key ,and it's in my code , is not it ? – Minoo Jul 22 '12 at 18:35
  • @Minoo No you can instead make your application on every start up prompt for the password which will then be used to encrypt and decrypt the data, thus the password would only ever be available in memory (when your DB is running), allowing it to encrypt and decrypt the data as needed (caused either by an ADD entry, UPDATE or whatever the case). – David Kroukamp Jul 22 '12 at 18:42
  • @Minoo to add to the above, when storing a password in memory use the [`SecureString`](http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx) rather then a simple `string` – David Kroukamp Jul 22 '12 at 18:45
  • you mean i use the user password to encript and dycript data ? and everytime that user changes her/his password , i decript data with old password and enript it again with new password :-? YYEESS , I think it's a very good way , Thank u So much :) @};- – Minoo Jul 22 '12 at 18:48
  • @Minoo yes that would be about the best. Another method may include hashing the password and storing it with the encrypted data. but if the attacker knows the pattern (i.e you add the hash to the front/end of the encrypted data and what type of hash you are using) he can theoretically crack the password. So yes the most secure option is the one you said in your above comment in my opinion – David Kroukamp Jul 22 '12 at 18:53
  • @DavidKroukamp thank u so much , i'm really glad to undrestand what to do :D Good Lock :) – Minoo Jul 22 '12 at 18:56
  • @Minoo Awesome that you got what you need :). to add a last comment to this if the encrypted data files start becoming very large there might be a hit in performance (i.e adding an entry to the large file would take time to decrypt before data can be added and again while encrypting) this might be overcome by a queue which will store operations to be completed on the DB and on decrypting all queued operations will be written to the file before it is encrypted again. – David Kroukamp Jul 22 '12 at 18:58
  • no the data that i want to encript are all text , like different personal passwords and notes and now i'm sure that i can use sql server to store my data but encripted data :-> and if it would be slow , then i think about it again :D but i don't think so , becaus i want to store only text – Minoo Jul 22 '12 at 19:06
0

I've seen professional applications that use a (un)zip library to open password protected archives. Of course one can brute-force those passwords and open the archive. So I don't recommend this option.

SQL database looks like the best option, but you need a database server. Or you might look into SQLite, it's serverless. To password protect sqlite you can read this question

Community
  • 1
  • 1
huysentruitw
  • 27,376
  • 9
  • 90
  • 133
  • :( really ? i Thought that password protected zip files are the best way :( and about sql server , if i use sql server database every one that has adminstrator rights can access my DB :( – Minoo Jul 22 '12 at 18:13
  • @Minoo no password protected archives are really not that protected thanks to apps like Kane and Abel, Jack The ripper etc – David Kroukamp Jul 22 '12 at 18:16
  • @Minoo: not with sqlite, read it [here](http://sqlite.phxsoftware.com/forums/t/130.aspx) And with sqlite you don't need a server... – huysentruitw Jul 22 '12 at 20:12