locked
Password storage issue [C# / .NET] RRS feed

  • Question

  • Hello everybody,

    I encounter a very common issue that I'm sure many people do, but could not find how to solve it.
    Basically, I need to securely store a password and retrieve it later. My application ask the user's password once, then logs him/her in, and then do not ask password anymore in the future.

    My question is not about "how to encrypt data", I already know everything I need to know about encryption/decryption (there are tons and tons of articles everywhere on the web to learn about that) but really how and/or where to securely store critical private data ?

    Hereafter are the contraints for my needs:
    - I must reuse the password to login to subjacents services (that means hash cannot be used)
    - The system must be as minimalist and easy to deploy as possible (that means DB cannot be used)
    - The system is a .NET Windows application (that means ASP.NET security aspects cannot be used)

    For testing, the application write an encrypted test data to a file and then from other application, I tried to get that file decrypted.
    Until then, I tried to use asymetric keys (RSA) and stored the keys to a "Key Container" but I noticed the keys could be acquired if the container name is known, which can be easily found by disassembling the executable.
    I tried to use ProtectedData.Protect and Unprotect methods (DPAPI mapping) but same, any other application running on the same machine could decrypt the file.
    Same as for the methods File.Encrypt and File.Decrypt but even worst because they need the file to be previously written uncyphered on disk.
    Of course I could generate a random session key and encrypt the file with AES, but the problem remain, where to store the AES session key ?
    As for hard-coding a session key, the problem of easily getting the key by disassembling remain...

    What I need is the same secure way that applications such as MSN Messenger or Skype store the user's password.
    OK I can produce an encrypted file that cannot not be read by humans, but still can be easily "unlock" by any program. I cannot imagine that MSN Messenger password file can be so easily decrypted, such a security issue would be known if it were the case.

    I investigated "CardSpace" and "Strong Name" but seems unrelated to my needs.

    Sorry for that long post, and thanks a lot in advance for your help.
    Saturday, January 2, 2010 7:44 PM

All replies

  • Hi – I think my information can help you:

    I think you shall apply my customized solutions for security: I think you shall use the Windows® Registry to store the passwords securely to hash them is very smart, especially when applying the SHA256 hash-algorithm (I do not directly understand you in this case), anyway.

    Please do not use a regular Registry path for this, since they are much easier to trace in the Windows® Registry and re-modify.

    A more protected path is a CLSID path, even if the CLSID (Class Identifier), I believe you shall use that path for higher protection, and by implementing randomization on this you’ll get higher security.    

    CLSID:
    HKEY_CLASSES_ROOT\CLSID\{0000002F-0000-0000-C000-000000000046}

    Before the application exits, it will randomly generate some numbers the first shall be a length of 8, the second shall be, 4, third shall be 4, fourth shall be 4 and the last shall be 12.
    Each of them shall be put into an array of 5 memory boxes.

    Then, using a regular temporary string variable, you shall put them this way:
    string temp = string.Format(“{0}-{1}-{2}-{3}-{4}”, a[0], a[1], a[2], a[3], a[4]);

    If my solution doesn’t work well then apply the SecureString class which can be found under System.Security; namespace.

    Direct link: http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

    I hope this information was helpful…

    Have a nice day…

    Best regards,
    Fisnik


    Coder24.com
    Sunday, January 3, 2010 7:20 PM
  • I think you're on the right track, but the thing you're missing is that you should supply a byte string in the entropy parameter. That data is known only to you and it must be supplied again to retrieve the data with the Unprotect method. Nobody else can get that secret data unless they know the entropy byte string. 
    Phil Wilson
    Sunday, January 3, 2010 7:32 PM
  • Thanks for your answers.

    Coder24.com, unfortunately your answer do not help me, so I guess my explanation was not clear enough. Let me explain you why I can't hash.
    Actually, my application will login to a Google application and to a SkyDrive in order to store data on remote storage. To login to these services, the application must provide the username and the password (in clear) of the account to use. If I hash the password, I can't get it back to clear anymore as long as the hash algorithm is irreversible.

    PhilWilson, I agree with your idea but that takes me back to the same point. The purpose to store password is to make the user not have to enter his/her password each time he/she uses the application, so if I use an entropy, the user will have to enter the entropy element each time he/she uses the application, which is finally just as same as asking him/her to enter password each time, or I have to store the entropy somewhere to retrieve it later, which takes me to the same question, where and how to store the entropy?

    Thanks for you help.
    Monday, January 4, 2010 3:20 AM
  • Use this then:
    http://msdn.microsoft.com/en-us/library/aa480470.aspx

    Or store the passwords as I told you but un-hashed!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Monday, January 4, 2010 8:21 AM
  • The idea behind entropy is that you store it separately, or embed it in your code. In your case you are storing a password associated with a user account name. You could perhaps hash that account name to produce a byte string for the entropy, so it would be the same every time you used it (protecty and unprotect).
    Phil Wilson
    Monday, January 4, 2010 6:42 PM
  • Hi Tanuki:

    How is the situation on your side?
    Is this thread solved or NOT?

    Please tell me...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Monday, January 11, 2010 9:24 AM
  • hiiii

     this is the password in the encrypted form of skype account "aplajy"

    6DA2264A2F2BC7F71525198E11E821249345F7FB1118FBCB114F4CCB7799297DC2A0A
    47FB314A55301BF5700CF4C62E57631FCADE267CC0A0A687F907DE34C47D1824920D7
    787F40844B90E8ADBF6933D3C7A622C9098E11273160747C8B532AB83F84D5488474B
    CB771DE5A2505BECA0FBC1D3C4CCEBF64560C6DC9BDFA0106A5E7FF91D9209704D613
    51493B4CF388145C7438F1D3B49C83BD86624047DD6B5470D4B1F1DA934199F32AB54
    371B60318A2517F725D70A2D8F51F5DEFD3AD6733F5AD4E31B3F2A6CCF45836893C46
    3CEBB3FAC15597EC07A001013F356F7FDE7F33BB91B3B8E95A0525BCCF5C95C82EE49
    A8A58640CD3A37385FBA72763650A76AA20569D39F30D39EB8A5C17690218083B366F
    3E025B774A67092B88A8D18577CA8EC176334AC59F43397035DE787FA923D1A02F2C0
    AC02FE977C05F811ED1EA52EF6AC32BC558AB18BB36FD742925A66670189D5985FE57
    440DA4ED0C7FE3D2414F91829D38E3CA7101B36357CE44D8CE819918B7E0D904F26D7
    1A51135F268F791624F89C8EE11D33EDA68287ECB65F96F5CDC9372C578F834E28529
    140C4C2FE06471CA6239A9751C720BF79B2DB41A63EF9ED952D0BE8E627F2735D40A4
    63F338F59B37BFB076D2ECC2AC21555E9BE28660D8A42FDF151AB2ED9CB9625AEBC6B
    BBD31D94789336EE1FAFA279ED3F8366EBD0195BB1E5EE6B0A90D7C7F75C387EF4B55
    855F12357BF5AE2BCD9817F794B295A38C3B00B0D0F89CE5D796F98D7016E0E534DCA
    9B63FA8F6181F9F4BEAAC1FB26D84EFD77FFB77BD241C735FBA94BCF91911062D32F4
    61385629B899D1A4170098C624E1E53
     

    can any one tell me the link of code of how to decrypt this password??
    its very urgent.
    i promise that connnecting to me will be helpful 2 u..

    Thursday, February 4, 2010 8:42 AM