5

I am aware that this is a more subjective question than is preferred, but I couldn't think of a better place or way to ask it.

I am developing a WPF application, and I have configuration settings in an App.config file. Some of these settings are sensitive information, and it would be best if the users of the machine could not directly access them (the settings would be set during install or administrator configuration).

What is the best way to protect application configuration settings for a WPF desktop application?

Thanks for any help.

Sako73
  • 9,957
  • 13
  • 57
  • 75
  • 1
    Encrypt them? What are you storing? – Oskar Kjellin May 18 '11 at 19:15
  • Encryption would be great, but how could you prevent an advanced user (hacker) from decompiling the application and getting the key? Usernames, passwords (potentially), sensitive URL, providers, etc.. – Sako73 May 18 '11 at 19:24
  • 1
    I don't believe WPF is relevant to the question: that framework doesn't alter the way you interact with an app.config file, as far as I'm aware. – Dan J May 18 '11 at 19:25
  • 2
    For password you would use one way encryption. That way the only way a hacker can get the password is by brute force. There isn't much you can do. If your app can get the value, a hacker can as well – Oskar Kjellin May 18 '11 at 19:26

1 Answers1

2

This question has nothing to do with WPF per se.

.Net offers a wide load of encryption methods.

For passwords, you should really look into one way hash like BCrypt. Then when you authenticate you just hash (make sure you use a salt as well) what the user entered and see if it hashes to the same thing.

For URLs etc I would suggest you check out this question.

You might also find this question similar to yours

Community
  • 1
  • 1
Oskar Kjellin
  • 21,280
  • 10
  • 54
  • 93
  • 1
    MD5 is a hash function, not encryption. see http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html – eflles Oct 05 '12 at 06:25