Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

.net protecting application secrets

Hi Experts,
I have a maybe simple or maybe strange question.
I'm just looking for how is this normally dealt with, what is the practice?

For a Windows form application to access a SQL server, (or other things) it will need that login information available somewhere, somewhere also the user will have access to. At the same time you might not want everyone in your organization to have direct SQL access to your database. So you'll need to protect this type of information, even from the users.

At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".

Connection strings I assume you would often want to put into a separate file so it's easy to change, without having to re-compile and distribute your program. You can encrypt that in the file so it can't easily be read by anyone. But you need to keep the key to de-crypt it again somewhere. I'm guessing this would normally be kept in the code itself and not saved externally in plain text. (You can't encrypt the key used to de-crypt the same key.)

So if anyone can de-compile your .net code, read through the code and find the key (and salt value etc) they also know how to de-crypt the connection string.
Then how do you protect that "application secret"?

I can think of a few ways to try to deal with it.
-Tools to obscure your code (code obfuscation, I guess is the correct term) would make it more difficult to find the key, I guess?
-In terms of SQL login you move the security to the SQL server and limit the application user - can't login with Management Studio, can only run stored procedures etc.
-If other languages is harder to de-compile or disassemble, maybe create a .dll in for example C that handles the de-cryption?

So how do you normally protect information like encryption key etc?

3 Solutions
Dennis AriesCEO @ Arkro ITCommented:
A system we use is to hand out a random key on each initial contact that will be used for further data exchange. Therefor the first contact is virtually unencrypted but in result, no key is stored in either code or on the client side.
Your question is neither simple nor strange.

Almost every developer want's their application hacker safe, the sad part is, it's no more than wishful thinking, especially for a .net application.

This may further enlighten you.
Ted BouskillSenior Software DeveloperCommented:
The only safe way to do this in an organization is to use Windows Integrated Authentication and ensure the application has the least privileges available to access stored procedures.  That way access is tied to their Windows domain account.

I work in computer security for a game company (I'm an ethical hacker) and used to work for a company that managed securities (shares) where insider theft of information was a serious issue.

ODBC passwords are always sent in the clear.  So, no matter what you do to encrypt the password on disk or in memory using whitebox cryptography, a malicious user can get it using Fiddler, Wireshark or a proxy.  SSL encrypts traffic to prevent 3rd parties from sniffing traffic, it won't protect a malicious client.

If there is code you want to protect you have to use unmanaged code (C++) and a solution from a 3rd party like Arxan or Denuvo (formerly part of Sony DADC) to add code obfuscation that is extremely difficult to decompile.  We've protected a triple A game for 45 days from the best hackers in the world, however eventually it can be defeated.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Alan WarrenApplications DeveloperCommented:
Hi VikingOnline,
At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".
I didn't know that, I always assumed that if you define a named connection string in the site web.config that would be secure.
    <remove name="cnAspNet" />
    <add name="cnAspNet" connectionString="Data;Initial Catalog=SQL2008R2_aspnet;Connect Timeout=15; pooling='true'; Max Pool Size=200;Persist Security Info=True;User ID=aspnet_user;Password=secret" providerName="System.Data.SqlClient" />

Open in new window

Then if you reference the connection string by name when initiating a transaction the detail of the connection string would be transparent.
                ' Create Instance of Connection and Command Object
                Using myConnection As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("cnAspNet").ConnectionString)
                  Using myCommand As New System.Data.SqlClient.SqlCommand("Rica_BookUpload_Ins", myConnection)

                    ' Mark the Command as a SPROC
                    myCommand.CommandType = System.Data.CommandType.StoredProcedure

                    ' Add Parameters to SPROC
                    ' Populate parameter, @ID int = null output
                    Dim prmID As New System.Data.SqlClient.SqlParameter("@ID", System.Data.SqlDbType.Int)
                    prmID.Direction = Data.ParameterDirection.InputOutput
                    prmID.Value = intID

                      ' Open the connection

                      ' Execute the stored procedure

                      End If

                    Catch SQLexc As System.Data.SqlClient.SqlException
                      Me.lblErrorMessage.Text = SQLexc.Message
                      Me.lblErrorMessage.Visible = True
                    End Try

                  End Using
                End Using

Open in new window

Respectfully yours,
Alan ";0)
The better code obfuscation applications offer string encryption, so that there's no way to read the string by looking at the decompiled version of your source code. CodeFort actually offers it in its free version; Dotfuscator, Skater, and others that I know of include string encryption only in their paid versions. So with any of those, you can keep your encryption key itself encrypted.
satsumoSoftware DeveloperCommented:
Some very good answer here. My idea would be to keep all the security on the server side of this problem. You are trying to control access to a database on a network so don't let people access the database directly. Have your program access a server program which regulates information to the database according to where the connection comes from. The database doesn't need to be accessible through the network. Perhaps using IP addresses, usernames or MAC address to idenitify logins.
Server access is done at the web root level.  simple put the connection string above the root. Then only a privileged processed on the server can access the connection string and passes the handle to the app.  That allows full authentication to be on the server using sessions.

VikingOnlineAuthor Commented:
Hey guys,
Thank you for all your answers.

I'm glad it was not as strange question as I was afraid it would be. I guess it's a concern for many, both from security and from protecting your code. Luckily I'm sure nobody wants to steal my simple code.

Some of the answers are and folders on web.config and make sure that file is outside reach. This is for a web form and not
VikingOnlineAuthor Commented:
Tedbilly, yes, if you are in a domain environment then I can see Windows authentication working for protecting SQL. Although it would only be for SQL and still leave encryption keys for example. I guess you could put it into the SQL server and request them from there. But then I guess you could always "listen" on the network communication from the program etc.

But I guess you are at least making it a little more difficult to and the level of technical knowledge to decompile, read code, listen to network traffic is starting to be a lot. It's beyond a "normal user" so someone in the organization would need help from someone outside etc.
VikingOnlineAuthor Commented:
Dennis Aries, I'm not sure if I follow. Somehow the first contact has to be made. That has to somehow identify you as someone to give a key to. If you know how to request for a key, you can just write your own program or something to send a request for the key. Or something I'm missing?
VikingOnlineAuthor Commented:
ElrondCT, yeah I can see this being one solution. Obfuscation and if that also encrypt strings, that would make it a lot harder.
And I guess like Tedbilly says, unmanaged code makes it even harder. And at that stage you should be talking professional hackers and not just a hobby computer guy.
VikingOnlineAuthor Commented:
Satsumo, OK, I see where you are going. That solves the SQL login as you just send information to a server service that can have all sort of validation before passing it on to SQL.

I guess it's a solution similar to the Windows authentication when it's outside a domain structure and outside a way to use Windows authentication.

I think writing a server service like that is a little outside my knowledge level, but at least I see where you are going with it.
satsumoSoftware DeveloperCommented:
You might consider using something like Node.js to simply the process of writing the server. This really isn't my area of expertise but its something I've thought about too.
VikingOnlineAuthor Commented:
Again, thank you for all your replies. I shared out the points to some of the suggestions.

In the end I guess it comes down to how big the need for protection is. For example a trading company that needs to comply with SSC regulations on information, or banks etc. etc. is in one far side of the scale, whilst on the other side of the scale could be some simple tools for the local sports team can be annoying if someone erases your data or mess up your systems but you'll get over it.

Professionally, domains and Windows based access can help a lot.
On smaller scale obfuscation and unmanaged code are your friends.
And depending on the situation, pushing something back to a central server could help keep something further away from end users.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now