Solved

How can I save data that my app uses, to file, in a way that no one can decipher other than my app?

Posted on 2006-07-05
11
215 Views
Last Modified: 2010-04-24
I want to write a quick and simple security app.

The app will contain data (an array) that will need to be saved locally when the app shuts down, but the data is sensitive and commercial. So the saved file must not be able to be accessed or read or deciphered by anyone else other than my application during run time.

Is it possible to store the data in an array then save it to some sort of file as an object? (i.e. not serialized and thus capable of being read in Notepad)

My app will also need to be capable of updating this data file from a source file through design time coding.

Any ideas on best how to meet this requirement?

 
0
Comment
Question by:IvanHowarth
  • 5
  • 5
11 Comments
 
LVL 4

Expert Comment

by:g_johnson
ID: 17044356
first, i would use encryption, and for that I use RijndaelSimple

then, how you store it is up to you.  Registry for easy updates, XML file (same thing), text file (tougher to update unless you want to rewrite the file every time)
0
 
LVL 24

Accepted Solution

by:
Jeff Certain earned 500 total points
ID: 17050812
A warning about using the registry... Vista will not allow applications to write to the registry without administrative permission. Most users will not have administrative permissions. So... registry use will be virtualized (i..e. redirected) and may hae unintended consequences.

Other than that... any encryption you use will end up requiring a key and (possibly) an initial vector (IV). These have to be stored somewhere, or else you can't encrypt/decrypt. Securing these items is as important as encrypting your data. Just putting them in code really isn't sufficient, since Roeder's Reflector can decompile .NET code pretty easily.

I believe (and I may be wrong) that the System.Security namespace in 2.0 contains methods for encryption/decryption that include storing keys in a machine local that is pretty tough to find. IIRC, they're actually stored and then encrypted with those keys stored elsewhere. In effect, the only way you can decrypt data is if you are on the same machine that encrypted it.

This raises another issue -- you'll need to make sure you have copies of your keys stored someplace else.

What about storing the data as a BLOB (binary large object) on a database server? If you use SQL server (perhaps even SQL express), you could use a SQL server account that would ensure that only your app can access the data.
0
 

Author Comment

by:IvanHowarth
ID: 17064416
Chaosian

I have since decided to store the master source data within SQL server within our LAN, updated by my 'Office App'. No problem! But as  engineers regularly go mobile with their laptop, they need the 'Mobile App' which is the issue.

As soon as the 'Mobile App' connects to the LAN, it automatically connects to the SQL server and gets a fresh set of data. This is currently loaded in a DataTable and DataView (not an array as originally intended). So forget about how the read-only data is to be used, I just want the contents of the DataTable encrypted and saved to disc (or saved to disc then immediately encrypted). Then when mobile, as soon as it realises that there is no SQL server to connect to, it decrypts the data and loads it back into a DataTable>DataView ready for use.

Do you know, or can you provide any sample code to meet my objective, from a populated DataTable onwards?

This would really help as I am discovering different methods (Rijndael or System.Security namespace etc) but have never seen it done before.
0
 
LVL 24

Expert Comment

by:Jeff Certain
ID: 17064599
Have you considered storing the data in a local isntance of SQL Express ont he engineers' laptops rather than as a file?
0
 

Author Comment

by:IvanHowarth
ID: 17064712
Not come accross SQL Express before - sounds interesting. Is it compatible with data bases buit using SQL Server 2000? I'll do some further research myself.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 24

Expert Comment

by:Jeff Certain
ID: 17064789
SQL Express is the (free) replacement for MSDE. It is a versino of SQL 2005. As far as ADO .NET is concerned, it is a SqlClient. Should be straight-forward if you're used to dealing with SQL 2000.
0
 

Author Comment

by:IvanHowarth
ID: 17064929
I think this will make things so much easier, but just a quick question - does it have the security to stop anything other than my app accessing it - i.e. another app installed on the laptops, others trying to hack into it etc. Because this is only a copy of the master database, I need it impossible for anything to access it other than the DataAdapter in my App.
0
 
LVL 24

Expert Comment

by:Jeff Certain
ID: 17064952
Well, you'll need to take the standard steps to protect your database -- encrypted connection string, strong password, user account on SQL with proper permissions, etc.

If you have access to a SQL DBA, they'll be able to help you with all that stuff.

Keep in mind that unless you use Obfuscator or a similar productor, your .exe can be decompiled using Roeder's reflector. So you want to be really careful of where you put your connection string, etc.
0
 
LVL 24

Expert Comment

by:Jeff Certain
ID: 17064958
By the way... I'd guess that by now you're realizing that tight security is never "quick and simple." :)
0
 

Author Comment

by:IvanHowarth
ID: 17065013
lol - thanks. I'll keep you posted :-)
0
 

Author Comment

by:IvanHowarth
ID: 17114652
I've downloaded SQL Express - it looks impressive. But without having time to fully play with it, I'm not confident that I could block all the doors to the actually DB on a local machine. I'm only familiar of SQL server 2000 safely residing on a secure LAN.

Microsoft has a sample vb.net encrypting and decrypting app using either Rijndael or TripleDES, but it doesn't work (not if you close the app after encrypting, then open it again to decrypt). Shame, I could apply that coding to mine.

Do you know of any other similar code samples I could follow? or books, or is SQL Express worth investing time to get familiar with. What ever, it must be able to work on XP Home (as this is unfortunatelly installed on the laptops).

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you're writing a .NET application to connect to an Access .mdb database and use pre-existing queries that require parameters, you've come to the right place! Let's say the pre-existing query(qryCust) in Access takes a Date as a parameter and l…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now