Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practices for encrypting and decrypting passwords? (C#/.NET)

Tags:

I need to store and encrypt a password in a (preferably text) file, that I later need to be able to decrypt. The password is for another service that I use, and needs to be sent there in clear text (over SSL). This is not something I can change. What are best practices in this area? How can achieve some degree of protection of the password from malicious users?

My platform is WinForms with C#/.NET 3.5.

Thanks.

like image 387
Eyvind Avatar asked Apr 24 '09 08:04

Eyvind


People also ask

What is the best encryption for passwords?

Google recommends using stronger hashing algorithms such as SHA-256 and SHA-3. Other options commonly used in practice are bcrypt , scrypt , among many others that you can find in this list of cryptographic algorithms.

What algorithm is used to encrypt password?

RSA Security RSA is a public-key encryption algorithm and the standard for encrypting data sent over the internet. It also happens to be one of the methods used in PGP and GPG programs.

What is encryption and decryption in C?

Example: C program to encrypt and decrypt the string using RSA algorithm. RSA is another method for encrypting and decrypting the message. It involves public key and private key, where the public key is known to all and is used to encrypt the message whereas private key is only used to decrypt the encrypted message.

How do I encrypt my username and password?

If you send the encryption key from the server to the client or the other way around you need to encrypt your symmetric encryption key. The easiest way to do this would be to use TLS. If you use TLS, then the data as well as key are encrypted, so you don't need to encrypt it yourself.


4 Answers

I am assuming that you want to encrypt the password as it will be on the users machine and they will (possibly) be able to find it and use it? If so you are basically screwed - no matter what you do, since it is in the users domain they will be able to get it and figure out the encryption and get the password for the encryption (remember that using Reflector - and it's clones - isn't out of the reach of most) and decrypt it and they have it. In short all you are doing is obfuscating the password, not securing it.

What I would recommend is actually move it out of the users control. For example put up a web service which communicates with the client and returns the password securely when requested. This also allows you to change the password, if needed in future as well as provides you with a way to validate legitimate users.

like image 132
Robert MacLean Avatar answered Oct 26 '22 16:10

Robert MacLean


Why you need to decrypt the password? Usually a salted hash of the password is stored and compared. If you encrypt/decrypt the password you have the password as plain text again and this is dangerous. The hash should be salted to avoid duplicated hash if the some users have the same passwords. For the salt you can take the user name.

HashAlgorithm hash = new SHA256Managed(); string password = "12345"; string salt = "UserName";  // compute hash of the password prefixing password with the salt byte[] plainTextBytes = Encoding.UTF8.GetBytes(salt + password); byte[] hashBytes = hash.ComputeHash(plainTextBytes);  string hashValue = Convert.ToBase64String(hashBytes); 

You can calculate the salted hash of the password and store that within your file. During the authentication you calculate the hash from the user entries again and compare this hash with the stored password hash. Since it should be very difficult (its never impossible, always a matter of time) to get the plain text from a hash the password is protected from reading as plain text again.

Tip: Never store or send a password unencrypted. If you get a new password, encrypt is as soon as possible!

like image 39
Enyra Avatar answered Oct 26 '22 15:10

Enyra


System.Security.Cryptography.ProtectedData in the System.Security assembly uses some Windows APIs to encrypt data with a password only it knows.

One possibly use of this would be to have a Windows service that actually does the operation requiring the password. The application that the user interacts with calls into the service via remoting or WCF. As long as the service used DataProtectionScope.CurrentUser and the service user is different from the logged on user, the password should be pretty safe.

This of course assumes that the users are running as limited users who cannot modify the service or run program as the service's user.

like image 33
Austin Avatar answered Oct 26 '22 17:10

Austin


Because you are using WinForms and .Net, your code is going to be visible in MSIL - even if obfuscated, and therefore your decryption code is visible.

Who are you trying to hide the password from? Is the user of the app not supposed to know the password?

I think you are going to need to do some user validation, and I would be tempted to put keys to the decryption in a separate database and provide some other mechanism to get that out which should require authentication. That way you can get the decryption code out of the winforms app.

I would also suggest a separate service which runs to regularly change the encryption decryption keys and updates all passwords in the database.

like image 43
Sam Meldrum Avatar answered Oct 26 '22 15:10

Sam Meldrum