none
Encrypt data RRS feed

  • Question

  • Hi,

    I am developing a Windows desktop application (fat client), I need to encrypt some sensitive data that should reside in the client (like database password).

    I am using this code, which is inside the application, but the application is obfuscated (including string encryption)

    Public Function GS_DxEncrypt(clearText As String) As String
            Dim EncryptionKey As String = "J28ZMALD81JE5AN9Z8WYDH1NA92N37SJYEPHG491JA2"
            Dim clearBytes As Byte() = Encoding.Unicode.GetBytes(clearText)
            Using encryptor As Aes = Aes.Create()
                Dim pdb As New Rfc2898DeriveBytes(EncryptionKey, New Byte() {&H49, &H76, &H61, &H6E, &H20, &H4D,
                 &H65, &H64, &H76, &H65, &H64, &H65,
                 &H76})
                encryptor.Key = pdb.GetBytes(32)
                encryptor.IV = pdb.GetBytes(16)
                Using ms As New MemoryStream()
                    Using cs As New CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write)
                        cs.Write(clearBytes, 0, clearBytes.Length)
                        cs.Close()
                    End Using
                    clearText = Convert.ToBase64String(ms.ToArray())
                End Using
            End Using
            Return clearText
        End Function

    How secure is this method of encryption?

    What is the risk that some one could decrypt data on the client?

    What other options I have if this is insecure?

    Regards.


    G.Waters


    Wednesday, September 5, 2018 4:26 AM

Answers

  • Hi,

    The  method of encryption and decryption should be placed on the server and should not be placed in the local code.

    This will at least ensure that the data is not leaked.

    Best Regards,

    Alex


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by George Waters Wednesday, September 12, 2018 3:47 AM
    Wednesday, September 12, 2018 1:23 AM

All replies

  • Hi,

    You are using AES encryption , which is fast, safe, and consumes low resources.

    AES decryption:

    Private Shared Function AESDecrypt(ByVal toDecrypt As String, ByVal key As String, ByVal ivBytes As Byte()) As String
        Dim toDecryptBytes As Byte() = Convert.FromBase64String(toDecrypt)
        Dim rijndael = New RijndaelManaged()
        rijndael.Key = System.Text.Encoding.UTF8.GetBytes(key)
        rijndael.IV = ivBytes
        Dim cryptoTransform As ICryptoTransform = rijndael.CreateDecryptor()
        Dim resultArray As Byte() = cryptoTransform.TransformFinalBlock(toDecryptBytes, 0, toDecryptBytes.Length)
        Return System.Text.Encoding.UTF8.GetString(resultArray)
    End Function

    Best Regards,

    Alex


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, September 5, 2018 6:23 AM
  • Thanks Alex,

    My other concern is that I have the key encrypted (to decrypt database password) in a DLL obfuscated, but I think I am having a security issue here, but my question is how to secure handle database passwords in client for remote connections to MSSQL?


    G.Waters

    Tuesday, September 11, 2018 3:39 PM
  • Hi,

    The  method of encryption and decryption should be placed on the server and should not be placed in the local code.

    This will at least ensure that the data is not leaked.

    Best Regards,

    Alex


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by George Waters Wednesday, September 12, 2018 3:47 AM
    Wednesday, September 12, 2018 1:23 AM