3

I have a .NET core console application (not ASP.NET core) that uses a .NET Standard 2.0 class library.

I have a JSON configuration file that gets read out by the class library to setup something dynamically.

The application normally runs under the user that started the process (CredentialCache.DefaultNetworkCredentials) as scheduled task. But it is sometimes necessary that it should run under another account of a different user, for example to connect to an external system.

Of course I don't want to store the username and password (unencrypted) in the configuration. But what are my options. If I use a key, the key must be stored somewhere too, so it wouldn't be really secure.

I searched the web but haven't found a solution. I guess maybe the credential could be stored in the user or machine config instead of the json config? But I don't know if .NET core has access to this classes and the app should also work on other operating systems (like linux), that have the .NET core runtime installed.

Does anyone know a solution for this?

Matt.G
  • 3,586
  • 2
  • 10
  • 23
Patric
  • 2,789
  • 9
  • 33
  • 60
  • Do you need to encrypt the pwd during runtime (via your application)? Or do you need to decrypt only? – Jürgen Müller Mar 27 '19 at 13:39
  • There is no way to safely and reversibly store information locally, you could encrypt it, but then again the encrypted files are there and vulnerable to rainbow table lookups, also the attacker has access to the binaries, using a decompiler he could look at your private key. You could go with [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) but that's even worse. So question boils down to this, will the application need to do this automatically or will this process always be initiated by a user? – MindSwipe Mar 27 '19 at 13:41
  • The application is not run by a user, it is run scheduled. So I only need to decrypt it. I have found the following post: https://stackoverflow.com/questions/42268265/how-to-get-manage-user-secrets-in-a-net-core-console-application which I am currently studying, I think it goes into the right direction. – Patric Mar 27 '19 at 13:42
  • What is the system that you're trying to connect to? There may be an option that doesn't require sending username + password. – Matthew Mar 27 '19 at 13:44
  • It is SharePoint Online, but it could also be On-Premise. – Patric Mar 27 '19 at 13:44
  • You only need to decrypt, so use encryption with public/private key, Then you only need the public key in your application. – Jürgen Müller Mar 27 '19 at 13:45
  • @JürgenMüller: wouldn't the password need to be encrypted using the private key? If I unserstand correctly, yes, but that key would not be in the application it could be stored for example in a password manager? And the public key would be stored inside the application? But if someone decompiles the assembly, he would be able to also decrypt they password - right? – Patric Mar 27 '19 at 13:53
  • You are right. This method works for signing, but not to hide a password. – Jürgen Müller Mar 27 '19 at 13:54
  • @Patric no, the password would need to be encrypted using the public key. The private key is used to decrypt the password. So the password needs to be present in plaintext which is what you're trying to avoid – MindSwipe Mar 27 '19 at 13:54
  • What's scheduling the program to run? Certainly the windows task scheduler lets you run scheduled tasks under *specific* user accounts, and it'll store the password in such a way that only highly privileged accounts on the machine can retrieve it. – Damien_The_Unbeliever Mar 27 '19 at 14:59
  • And it looks like [cron on linux](https://askubuntu.com/questions/505181/how-to-run-a-cron-job-as-a-specific-user) should also support something like this. – Damien_The_Unbeliever Mar 27 '19 at 15:01
  • yeah sure, but consider for this scenario, that the user running the application is not necessarily the user that has access to the other service. The question is more general: how to securely store credentials in .net core apps. – Patric Mar 27 '19 at 15:03
  • Or maybe credentials is a bad example, because "you should not store credentials ever". So maybe how to store a "connection string" or more generally, how to store a secret in .net core apps. – Patric Mar 27 '19 at 15:29
  • I think what you are looking for is the [DataProtectionProvider](https://learn.microsoft.com/en-us/uwp/api/Windows.Security.Cryptography.DataProtection.DataProtectionProvider), though it is platform specific and there doesn't exist anything comparable in .NET Standard as far as I know. – martinstoeckli Mar 29 '19 at 13:39

0 Answers0