Securing client data

Question

1.00/5 (1 vote)

See more:

I need to store some passwords on a client machine which will be used by a (VB / C#) .net application to connect to a database.
The database-name/password combination is delivered to the client based on a web-service that has domain authentication.
So only allowed database-name/password combinations for that user may be stored on the client machine. The storing is important as the user will not always have access to the webservice.

So after webservice access, a list of database-name/password combinations is saved on the client and can be used afterwords by the client-program.

Though, it is not allowed that the user on the client system can read/redistribute the passwords.

So I am looking for a way to encrypt the passwords on the client in such a way that only my application can decrypt it and use them.

No direct reading or decryption by any other application is allowed.
In my knowledge it is hard to hide an encryption key in a .net application without the possibility to read it by examining the application in an editor or by reading the encrypted settings file through another .net application.

Any ideas in how to achieve this goal?

Thanks!

Posted 27-Apr-10 2:58am

mvermand

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Michel Godfroid · Answer 1 · 2010-04-27T08:41:00

Solution 2

Check Microsoft websites for CNG (Cryptography Next Generation) A good place to start is also here[^]

Posted 27-Apr-10 8:41am

Michel Godfroid

Kschuler · Answer 2 · 2010-04-27T08:10:00

My first suggestion is that you one way hash the passwords so that they can never be decrypted. Then when a user types in a password you hash it the exact same way and compare it to the stored hash. Here is a function I use to hash passwords.

VB

Public Function HashString(ByVal instrString As String) As String
    'This function will:
    '- Create a SHA2 hash of the incomming parm and return it.
    '  (Hash will be 64 characters long)
  
    'Create an encoding object to ensure the encoding standard for the source text
    Dim Ue As New System.Text.UnicodeEncoding()

    'Retrieve a byte array based on the password
    Dim ByteSourceText() As Byte = Ue.GetBytes(Trim(instrString))

    'Instantiate an SHA2 Provider object
    Dim SHA2 As New System.Security.Cryptography.SHA384Managed

    'Compute the hash value from the source
    Dim ByteHash() As Byte = SHA2.ComputeHash(ByteSourceText)

    'And convert it to String format for return
    Dim strSha2 As String = Convert.ToBase64String(ByteHash)

    Return Convert.ToBase64String(ByteHash)

End Function

You can find a lot more information in the CP Articles.[^] You may want to research salting a hash. And this article[^] seemed to really define the different types of cryptography.

Hope this helps.