3

I need to develop a tool in C# which interacts with a SOAP webservice. The first operation of this webservice takes a username and password to login to the application. However that tool shall be run without user interaction when providing the user credentials.

This implies that the tool knows the username and password. What would be a more or less appropriate way of storing the encryped username and password either in the program code or in an external file?

Robert Strauch
  • 12,055
  • 24
  • 120
  • 192

3 Answers3

5

I would think about using the DPAPI There should be a machine specific algorithm. Which should ensure, that the data can only be decrypted on the machine on which it was encrypted.

In the linked post is also a good article linked

From MSDN:

// Encrypt the data using DataProtectionScope.CurrentUser. The result can be decrypted 

//  only by the same current user. 

return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
Community
  • 1
  • 1
Boas Enkler
  • 12,264
  • 16
  • 69
  • 143
1

The less appropriate way is to store your password in clear in a plain text in text file or in registry which will make your sensitive information accessible to everyone who gain access as an admin One of the best way to obfuscate the password is to use this ProtectedData Class
here an example from MSDN: 

using System;
using System.Security.Cryptography;

public class DataProtectionSample
{
// Create byte array for additional entropy when using Protect method. 
    static byte [] s_aditionalEntropy = { 9, 8, 7, 6, 5 };

    public static void Main()
    {
// Create a simple byte array containing data to be encrypted. 

byte [] secret = { 0, 1, 2, 3, 4, 1, 2, 3, 4 };

//Encrypt the data. 
        byte [] encryptedSecret = Protect( secret );
        Console.WriteLine("The encrypted byte array is:");
        PrintValues(encryptedSecret);

// Decrypt the data and store in a byte array. 
        byte [] originalData = Unprotect( encryptedSecret );
        Console.WriteLine("{0}The original data is:", Environment.NewLine);
        PrintValues(originalData);

    }

    public static byte [] Protect( byte [] data )
    {
        try
        {
            // Encrypt the data using DataProtectionScope.CurrentUser. The result can be decrypted 
            //  only by the same current user. 
            return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
        } 
        catch (CryptographicException e)
        {
            Console.WriteLine("Data was not encrypted. An error occurred.");
            Console.WriteLine(e.ToString());
            return null;
        }
    }

    public static byte [] Unprotect( byte [] data )
    {
        try
        {
            //Decrypt the data using DataProtectionScope.CurrentUser. 
            return ProtectedData.Unprotect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
        } 
        catch (CryptographicException e)
        {
            Console.WriteLine("Data was not decrypted. An error occurred.");
            Console.WriteLine(e.ToString());
            return null;
        }
    }

    public static void PrintValues( Byte[] myArr )  
    {
          foreach ( Byte i in myArr )  
            {
                 Console.Write( "\t{0}", i );
             }
      Console.WriteLine();
     }

}
BRAHIM Kamel
  • 13,492
  • 1
  • 36
  • 47
1

If you indeed need to store the password in some form, better encrypt it using AES. AES is a proven algorithm which is not feasible to thwart at least until the next decade. See this SO link to find some examples of AES encryption in C#:

Using AES encryption in C#

Community
  • 1
  • 1
Prahlad Yeri
  • 3,567
  • 4
  • 25
  • 55