1

So I am trying to encrypt my files and authentication password. I am currently using (A)Password Derived Byte[], (B)Clear Byte[] and a strong (C)string to encrypt it.

In my program, I hardcoded the (A)Password Derived in there. I also harcoded a (B)Encrypted version of Clear Byte[] and a (C)Encrypted version of string.

To decrypt my file/password, I must: 1. Decrypt Encrypted version of (B)Clear Byte[] using (A)Password Byte. 2. Decrypt Encrypted version of (C)String using (A)Password Byte. 3. Use the (B) Clear Byte, (C) Clear string to decrypt the file/password.

If this is not a good practice, could someone please provide me suggestions/methods I should use ? I am developing it in c#

00101010 10101010
  • 313
  • 1
  • 5
  • 16
  • 2
    You would be better off actually posting the code. If it's working code you want reviewed for flaws/best practices etc then use Code Review instead of Stack Overflow. – Trevor Pilley Dec 23 '12 at 16:18
  • 1
    http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net/10366194#10366194 – Caster Troy Dec 23 '12 at 16:28
  • I was using this example: http://www.codeproject.com/Articles/5719/Simple-encrypting-and-decrypting-data-in-C – 00101010 10101010 Dec 23 '12 at 16:31
  • Please describe in more details what are you trying to do in the application. You want to encrypt your files with password, or something else? – Nickolay Olshevsky Dec 23 '12 at 16:50
  • I want to encrypt a file that could only be opened and read by my program. I also want to have an authentication with a server, I guess i'll be going with hashing on the authentication. – 00101010 10101010 Dec 23 '12 at 16:55
  • If you want authentication, then GCM mode will provide it without having to do any extra work on HMACs or whatever. – rossum Dec 23 '12 at 18:19
  • If you open your executable in a text editor you will be able to see the hardcoded strings. That is not very safe. – Mert Akcakaya Dec 31 '12 at 05:07
  • I understand that but I'm not quite sure where else to store it. I'll be obfuscating my code so hopefully that helps. – 00101010 10101010 Dec 31 '12 at 05:13

2 Answers2

1

If you want something that only your program can read then you should use DPAPI. In C# This is wrapped up in the ProtectedData class.

Your code is not safe, the code could easily be reverse engineered and decrypted. Using DPAPI means that only your user can access the data you protect in your application.

You use the protecteddata class like this:

ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
Ross Dargan
  • 5,876
  • 4
  • 40
  • 53
  • 1
    I should point out that only the _user_ can read this data, however another app using the salt could unprotect the data. But this is more secure than your original code. – Ross Dargan Dec 24 '12 at 16:06
  • I would need something universal, meaning a user can save the data, but also able to read it in another computer. – 00101010 10101010 Dec 26 '12 at 03:03
0

I decided to go with my own approach mentioned above because no one was able to post a answer I could use.

00101010 10101010
  • 313
  • 1
  • 5
  • 16