0

I'm working on portable application. Something you have on flash-drive and can use it anytime.

Problem is: I need to store some critical passwords in application. So i would like to ask what is right approach for that?

Passwords need to be in xml settings file next to app or somewhere else, but settings still needs to load when used on different computer.

But i would like to users couldnt easily open that settings file(Can i cipher file with settings?) Then i would have some "decryption key" as password which you use everytime you wana make changes or want to use password from that file or some different setting.

Is this right or even safe?

I know option two would be save password already in cipher form to settings xml file, but i would like people couldnt open that file without knowing password.

Thanks for all answers or ideas.

Johny Corbie
  • 63
  • 10

2 Answers2

0

1st way - encrypt your config with password.

1) Encrypt your whole XML config.
2) Request password on program start.
3) Decrypt config and load it.

Easy as that.

You can use RijndaelManaged to encrypt your settings with a string password.

Ready implementation of string cyphering can be found here.

Also I really-really recommend to hash your password with SHA256/SHA512 to make it harder to bruteforce it for someone else.

Pros:

  • You don't need internet access.
  • Breaking encryption like that will take a right amount of time (if you use it right)

Cons:

  • Anyone can bruteforce your password. So use a strong one.

2nd way - download your password from a web-server

Setup a web-server that will accept your password and send list of passwords.

ALWAYS USE HTTPS! All of your wifi connections can be sniffed/or MITM'ed!

Use SSL-pinning to reinforce your security! You can find more here.

Pros:

  • It makes really hard to bruteforce your password.

(Set up your serversided scripts to accept passwords only when you're working, for example)

Cons:

  • You need internet access, of course.
  • You need to host a website, get SSL certificate (for example here, for free)
  • People who have access to your webserver can steal your passwords.
  • People who have access to your device can install fake root SSL certificate to intercept your traffic. (SSL pinning can help you there!)
Vyacheslav
  • 559
  • 2
  • 11
  • Hey, great idea! Just one question: When i use pasword to decrypt file on start and load settings. I guess i need to encrypt it back? Or can i somehow decrypt it only for reading and file still says crypted when i close the program or it crash, or somethin like that. – Johny Corbie Oct 04 '19 at 10:14
  • First you load file into memory. (File.ReadAllBytes), then you decrypt it in memory and use it. File stays encrypted on the drive. – Vyacheslav Oct 04 '19 at 10:16
  • But memory isn't file or can i somehow call xmlserializer for memorystream? or how can i read xml settings from memorystream? – Johny Corbie Nov 22 '19 at 09:33
  • @JohnyCorbie XMLSerializer should support deserialization from stream. Also look at: https://stackoverflow.com/questions/30698349/xml-serializing-and-deserializing-with-memory-stream – Vyacheslav Nov 22 '19 at 10:26
0

My solution to this problem following.

  • Encrypt the whole setting file ( you can create your own encryption function) and create a small utility app to change the settings.
  • Only Encrypt the password and use a small utility to update/create a password
Ihtsham Minhas
  • 1,415
  • 1
  • 19
  • 31