1

I must send an email through code in C#, the smtp server requires authentication, so I need to create a new NetworkCredential instance.

Now the problem is that I want to store the password in the db using some encryption method like MD5, but the NetworkCredential constructor take in input a clear password, how can I create NetworkCredential instance using a MD5 encrypted password?

Sorry for my poor English

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
davidinho
  • 169
  • 1
  • 14
  • MD5 isn't an encryption cipher it's a digest algorithm and it's one way, what goes in doesn't come out. Look at something like AES instead. – Lloyd Jan 26 '15 at 12:08
  • MD5 is not encryption, it's a hash. The password is no longer there. If you want to store passwords for later use, you need to use some actual encryption algorithm that allows you to retrieve the original plain-text password - there's plenty in .NET. It's still tricky to make it secure, though. – Luaan Jan 26 '15 at 12:08

1 Answers1

2

Best way to store a secrete is not to have it at all. There were extensive discussions on this, for example see Best way to store password in database.

If you must store password in a retrievable fashion a general approach would be to encrypt it using symmetric algorithm (for example AES). To use symmetric algorithm you would need to have a key and the problem now becomes this: how to store the private key securely? Things that people do to secure a key:

  • Use strong composite salt as parts you combine to make private key (application embedded, registry, hardware specific entropy like CPU id, etc )
  • Use devices or chips to store keys, like TPM (Trusted Platform Module)
  • Use ACL (Access Control List) to disallow access to the file where you store the key
  • Use OS provided secure storage to store part of the salt or key
  • Request the key on the fly from a secure server and dispose of it asap

But all this will merely raise a bar, but won't protect from determinate attackers.

I know some commercial companies provide paid-for solution that disperses the key in the code of the program in the encrypted way so it is not possible to retrieve it, for example by means of attaching a debugger and intercepting a call to where the key is in the clear. Search for "metaforic" for an example of such commercial solution.

Community
  • 1
  • 1
oleksii
  • 35,458
  • 16
  • 93
  • 163