How to manage private data in a C# code?

Question

I am making a WPF C# application, and from what I have read on other threads on many forums, the code of a C# application can be rebuilt from a .exe file.

Now in my code there is a string containing the login data of a database, and I am also considering to use a simmetric cryptography to send encrypted passwords to the db, so the code of the client will contain the simmetric key, but this issue would make vain all my efforts to make a secure application.

How can this security issue be solved, especially in my case?

Might be repeat of: http://stackoverflow.com/questions/7581801/how-can-i-hide-my-password-in-my-c-sharp-connection-string — Rob Steiner, May 20 '14 at 13:55
You know the answer, don't you? It is: do not store the password in the code. So then the question becomes: where do I get the password? You know the answer to that one too, don't you? It is: ask the user. — Kris Vandermotten, May 20 '14 at 15:42
http://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx — SilverlightFox, May 21 '14 at 09:16

score -2 · Answer 1 · answered May 20 '14 at 13:58

The solution is to have the passwords hashed in the database and not encrypted. Hash is a one way transformation of the string and cannot be reversed.

Then you hash the input value the user supplies and compare it with what you have in the database. If the hash matches they can log in otherwise an error is displayed.

 static string GetMd5Hash(MD5 md5Hash, string input)
    {

        // Convert the input string to a byte array and compute the hash. 
        byte[] data = md5Hash.ComputeHash(Encoding.UTF8.GetBytes(input));

        // Create a new Stringbuilder to collect the bytes 
        // and create a string.
        StringBuilder sBuilder = new StringBuilder();

        // Loop through each byte of the hashed data  
        // and format each one as a hexadecimal string. 
        for (int i = 0; i < data.Length; i++)
        {
            sBuilder.Append(data[i].ToString("x2"));
        }

        // Return the hexadecimal string. 
        return sBuilder.ToString();
    }

    // Verify a hash against a string. 
    static bool VerifyMd5Hash(MD5 md5Hash, string input, string hash)
    {
        // Hash the input. 
        string hashOfInput = GetMd5Hash(md5Hash, input);

        // Create a StringComparer an compare the hashes.
        StringComparer comparer = StringComparer.OrdinalIgnoreCase;

        if (0 == comparer.Compare(hashOfInput, hash))
        {
            return true;
        }
        else
        {
            return false;
        }
    }

From here MSDN site

This is just a demo and not an end to end solution. It aims at point towards the correct way to do things. Yes hashes should be hashed. — idipous, May 21 '14 at 09:32

How to manage private data in a C# code?

1 Answers1