none
Upload file to FTP with utmost security RRS feed

  • Question

  • Dear All,

    I am novice in uploading files using FTP in C# from WebService. I am bit more concerned about security of winform application based on .NET Framework 2.0.

    Let me explain how I am uploading files to FTP -

    1. Created function in WCF web service that returns ftp credentials to winform application. So that in future we can change FTP credentials if required.
    2. Use these ftp credentials to upload file to FTP server.
    3. As upload go on I show progress of file upload to user.

    Now I doubt that if somehow some can hack my source code, he or she can get FTP credentials too. Because I myself can decompile build binary. So the questions are:

    Q.1. How can I protect FTP credentials from hacking?

    My Solution: Do all uploading task from server side without sending FTP credentials.

    But then how can I show progress to user for upload going on?

    Q.2. Is there any mechanism for securing FTP credentials?

    I am looking answers for both questions. But the Q.2. is on top most priority for me. Because this will help me to make less changes to existing code.

    ** I had googled lot for security issue. But found nothing except links explaining how to upload using FTP. So I am looking for answers or links that help me in security issue. Please note that I am not looking for Secure FTP upload. Only way for securing my FTP credentials in WinForm application.


    Vikram Singh Saini (Freelancer on Elance)


    Saturday, September 21, 2013 3:07 AM

Answers

  • Hi Vikram,

    My understanding is that your winform application will retrieve login account (name/pwd) information from a WCF service and use the account to connect a FTE server, correct?

    If so, for the login account info, if you use WCF service to return it, you just need to secure the data transfer channel. For example, you can make WCF service use HTTPs transport. Also, at the WCF service side, how did it get the account username/password? If you store it securely in database or some other place, then even if your source code is hacked (no matter winform or WCF service side), the account info should not be exposed. In addition, if you want to store account info in your custom data store like a xml file, you can use some .NET built-in data protection /encryption methods such as the managed DPAPI classes to encrpyt and decrypt sensitive data.

    #Managed DPAPI Part I: ProtectedData
    http://blogs.msdn.com/b/shawnfa/archive/2004/05/05/126825.aspx

    #ProtectedData Class
    http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx

     


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 23, 2013 5:57 AM
    Moderator
  • Hi Jeremy,

    If you're concerning about the account credentials in the program's runtime memory, then I think you might consider using the SecureString class to hold the password credential (which can be used to construct the NetworkCredential class). See reference below:

    #NetworkCredential Constructor (String, SecureString, String)
    http://msdn.microsoft.com/en-us/library/dd783904.aspx

    #SecureString Class
    http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

    SecureString class is added in .NET 2.0 to hold in-memory sensitive data (which is auto-encrypted and released right after it is no longer used). Also, for your case, it is also important that after the credentials returned from the webservice method (to winform client), you need to transfer the password string data into a SecureString instance and clear the original string reference (which hold the clear text credentials). Anyway, the most secured means is let the user of the winform app to input the credentials so that you can directly transfer the input password character into the SecureString instance.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, September 24, 2013 7:58 AM
    Moderator

All replies

  • Hi Vikram,

    My understanding is that your winform application will retrieve login account (name/pwd) information from a WCF service and use the account to connect a FTE server, correct?

    If so, for the login account info, if you use WCF service to return it, you just need to secure the data transfer channel. For example, you can make WCF service use HTTPs transport. Also, at the WCF service side, how did it get the account username/password? If you store it securely in database or some other place, then even if your source code is hacked (no matter winform or WCF service side), the account info should not be exposed. In addition, if you want to store account info in your custom data store like a xml file, you can use some .NET built-in data protection /encryption methods such as the managed DPAPI classes to encrpyt and decrypt sensitive data.

    #Managed DPAPI Part I: ProtectedData
    http://blogs.msdn.com/b/shawnfa/archive/2004/05/05/126825.aspx

    #ProtectedData Class
    http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx

     


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 23, 2013 5:57 AM
    Moderator
  • Thanks for smart and intelligent response. 
    • The answer to your very first question is: correct.
    • At WCF server side it is getting credentials from .xml file.

    Winform software have following lines for making web request:

      var ftpRequest = (FtpWebRequest)WebRequest.Create("ftp://" + _ftpServer + "/" + _ftpDirectory + "/" + imgFileName);
                                    ftpRequest.Proxy = null;
                                    ftpRequest.Credentials = new NetworkCredential(_ftpUsername, _ftpPassword);
                                    ftpRequest.Method = WebRequestMethods.Ftp.UploadFile;

    So if I am debugging code I can view FTP credentials as username and password.

    Is there any mechanism such that no one can see those credentials in plain text? But my server side service can identify them correctly.


    Vikram Singh Saini (Freelancer on Elance)

    Monday, September 23, 2013 3:06 PM
  • Hi Jeremy,

    If you're concerning about the account credentials in the program's runtime memory, then I think you might consider using the SecureString class to hold the password credential (which can be used to construct the NetworkCredential class). See reference below:

    #NetworkCredential Constructor (String, SecureString, String)
    http://msdn.microsoft.com/en-us/library/dd783904.aspx

    #SecureString Class
    http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

    SecureString class is added in .NET 2.0 to hold in-memory sensitive data (which is auto-encrypted and released right after it is no longer used). Also, for your case, it is also important that after the credentials returned from the webservice method (to winform client), you need to transfer the password string data into a SecureString instance and clear the original string reference (which hold the clear text credentials). Anyway, the most secured means is let the user of the winform app to input the credentials so that you can directly transfer the input password character into the SecureString instance.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, September 24, 2013 7:58 AM
    Moderator