Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / March 2008

Tip: Looking for answers? Try searching our database.

Hidden Application Data

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
sternr - 22 Mar 2008 19:28 GMT
Hey,
I have a commercial application, that needs to store the user's id and
password on the local machine, and we'd like to hide it from our users
(to prevent frauds etc.).

How can I store my application's data in a hidden way?
And don't tell me the obvious solutions: hidden file, registry key
etc. - isn't there a more reliable\hidden way?

Thanks ahead

--sternr
Reply to this Message
Lasse Vågsæther Karlsen - 22 Mar 2008 19:45 GMT
> Hey,
> I have a commercial application, that needs to store the user's id and
[quoted text clipped - 8 lines]
>
> --sternr

More hidden, probably. To be more reliable, you need to define what
reliable means.

If your software is running in the context of the logged on user, the
user is able to do whatever the software is able to do, so all you can
hope to achieve is to obfuscate the storage process so much that the
user either loses track, or give up because it's so much work. You can
not store the data in a secure manner that only your software has access to.

For instance, using a decompiler (Reflector) or just using your class
libraries, a user could perhaps write a new program that read out the
values.

To prevent fraud, implement your security on the server where the user
cannot get anywhere except for inside the boundaries you've set, and let
the user type in the password each time.

Are you trying to prevent someone from learning the information, other
than the user? Ie. user uses the program, then closes it and leave the
computer, and you want to prevent someone else from going up to the
computer and learning the password, or similar cases? If so, then the
answer is to not store the password on the computer at all.

Signature

Lasse Vågsæther Karlsen
mailto:lasse@vkarlsen.no
http://presentationmode.blogspot.com/
PGP KeyID: 0xBCDEA2E3

Reply to this Message
rossum - 22 Mar 2008 20:00 GMT
>Hey,
>I have a commercial application, that needs to store the user's id and
[quoted text clipped - 8 lines]
>
>--sternr
If you must keep things locally then do not store the
username/password but instead store a cryptographic hash of the
username/password.  For extra security use some random salt as well.

For a new application you should use SHA-256 as the hash.  For
cryptographic salt see
http://en.wikipedia.org/wiki/Salt_(cryptography).

When the user enters their username and password calculate:

 hash = SHA-256(username || password || salt)  (|| = concatenate)

Store the hash and random salt locally.  When the user next enters
their password repeat the calculation and compare the hash values.  If
there is a mismatch then do not allow the user access.  Each user
should have their own different salt.

Cryptographic hashes are designed so that it is not possible to run
them backwards and deduce the original text from the hash value.  The
salt is to make dictionary attacks more difficult.

rossum
Reply to this Message
sternr - 22 Mar 2008 22:12 GMT
Hey guys thanks for your answers!
My prodcut is a psuedo anti-virus application.
I need to save my user's credentials on the computer to be able to
connect to the server and check for license validity and new updates.
The reason I want to hide the user's credentials is not from the user
(although it does help prevent piracy...),
But for malicious programs who'd try to delete\modify this file and
thus disabling my product.
Any suggestions?

Thanks again!

--sternr

> >Hey,
> >I have a commercial application, that needs to store the user's id and
[quoted text clipped - 30 lines]
>
> rossum
Reply to this Message
Lasse Vågsæther Karlsen - 22 Mar 2008 22:23 GMT
> Hey guys thanks for your answers!
> My prodcut is a psuedo anti-virus application.
[quoted text clipped - 7 lines]
>
> Thanks again!

Wouldn't it be easier to just kill your application and delete the .exe
file?

And if you think about it, anywhere your program can get to, a different
program can get to as well.

Signature

Lasse Vågsæther Karlsen
mailto:lasse@vkarlsen.no
http://presentationmode.blogspot.com/
PGP KeyID: 0xBCDEA2E3

Reply to this Message
Peter Bromberg [C# MVP] - 22 Mar 2008 20:09 GMT
Have a look at IsolatedStorage. There are special .NET classes to work with it.
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short Urls & more: http://ittyurl.net

> Hey,
> I have a commercial application, that needs to store the user's id and
[quoted text clipped - 8 lines]
>
> --sternr
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.