Solved

.net protecting application secrets

Posted on 2014-03-08
14
384 Views
Last Modified: 2014-03-09
Hi Experts,
I have a maybe simple or maybe strange question.
I'm just looking for how is this normally dealt with, what is the practice?

For a Windows form application to access a SQL server, (or other things) it will need that login information available somewhere, somewhere also the user will have access to. At the same time you might not want everyone in your organization to have direct SQL access to your database. So you'll need to protect this type of information, even from the users.

At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".

Connection strings I assume you would often want to put into a separate file so it's easy to change, without having to re-compile and distribute your program. You can encrypt that in the file so it can't easily be read by anyone. But you need to keep the key to de-crypt it again somewhere. I'm guessing this would normally be kept in the code itself and not saved externally in plain text. (You can't encrypt the key used to de-crypt the same key.)

So if anyone can de-compile your .net code, read through the code and find the key (and salt value etc) they also know how to de-crypt the connection string.
Then how do you protect that "application secret"?

I can think of a few ways to try to deal with it.
-Tools to obscure your code (code obfuscation, I guess is the correct term) would make it more difficult to find the key, I guess?
-In terms of SQL login you move the security to the SQL server and limit the application user - can't login with Management Studio, can only run stored procedures etc.
-If other languages is harder to de-compile or disassemble, maybe create a .dll in for example C that handles the de-cryption?

So how do you normally protect information like encryption key etc?

Ronny
0
Comment
Question by:VikingOnline
14 Comments
 
LVL 18

Expert Comment

by:Dennis Aries
ID: 39915139
A system we use is to hand out a random key on each initial contact that will be used for further data exchange. Therefor the first contact is virtually unencrypted but in result, no key is stored in either code or on the client side.
0
 
LVL 26

Expert Comment

by:MacroShadow
ID: 39915149
Your question is neither simple nor strange.

Almost every developer want's their application hacker safe, the sad part is, it's no more than wishful thinking, especially for a .net application.

This may further enlighten you. http://stackoverflow.com/a/651375
0
 
LVL 51

Accepted Solution

by:
tedbilly earned 84 total points
ID: 39915305
The only safe way to do this in an organization is to use Windows Integrated Authentication and ensure the application has the least privileges available to access stored procedures.  That way access is tied to their Windows domain account.

I work in computer security for a game company (I'm an ethical hacker) and used to work for a company that managed securities (shares) where insider theft of information was a serious issue.

ODBC passwords are always sent in the clear.  So, no matter what you do to encrypt the password on disk or in memory using whitebox cryptography, a malicious user can get it using Fiddler, Wireshark or a proxy.  SSL encrypts traffic to prevent 3rd parties from sniffing traffic, it won't protect a malicious client.

If there is code you want to protect you have to use unmanaged code (C++) and a solution from a 3rd party like Arxan or Denuvo (formerly part of Sony DADC) to add code obfuscation that is extremely difficult to decompile.  We've protected a triple A game for 45 days from the best hackers in the world, however eventually it can be defeated.
0
 
LVL 26

Expert Comment

by:Alan Warren
ID: 39915742
Hi VikingOnline,
Re:
At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".
I didn't know that, I always assumed that if you define a named connection string in the site web.config that would be secure.
  <connectionStrings>
    <remove name="cnAspNet" />
    <add name="cnAspNet" connectionString="Data Source=tcp:sql2k805.somereputablehost.net;Initial Catalog=SQL2008R2_aspnet;Connect Timeout=15; pooling='true'; Max Pool Size=200;Persist Security Info=True;User ID=aspnet_user;Password=secret" providerName="System.Data.SqlClient" />
  </connectionStrings>

Open in new window

Then if you reference the connection string by name when initiating a transaction the detail of the connection string would be transparent.
                ' Create Instance of Connection and Command Object
                Using myConnection As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("cnAspNet").ConnectionString)
                  Using myCommand As New System.Data.SqlClient.SqlCommand("Rica_BookUpload_Ins", myConnection)

                    ' Mark the Command as a SPROC
                    myCommand.CommandType = System.Data.CommandType.StoredProcedure

                    ' Add Parameters to SPROC
                    ...
     
                    ' Populate parameter, @ID int = null output
                    Dim prmID As New System.Data.SqlClient.SqlParameter("@ID", System.Data.SqlDbType.Int)
                    prmID.Direction = Data.ParameterDirection.InputOutput
                    prmID.Value = intID
                    myCommand.Parameters.Add(prmID)


                    Try
                      ' Open the connection
                      myConnection.Open()

                      ' Execute the stored procedure
                        myCommand.ExecuteNonQuery()

                      End If


                    Catch SQLexc As System.Data.SqlClient.SqlException
                      Me.lblErrorMessage.Text = SQLexc.Message
                      Me.lblErrorMessage.Visible = True
                    End Try

                  End Using
                End Using

Open in new window

Respectfully yours,
Alan ";0)
0
 
LVL 20

Assisted Solution

by:ElrondCT
ElrondCT earned 83 total points
ID: 39915757
The better code obfuscation applications offer string encryption, so that there's no way to read the string by looking at the decompiled version of your source code. CodeFort actually offers it in its free version; Dotfuscator, Skater, and others that I know of include string encryption only in their paid versions. So with any of those, you can keep your encryption key itself encrypted.
0
 
LVL 12

Assisted Solution

by:satsumo
satsumo earned 83 total points
ID: 39915860
Some very good answer here. My idea would be to keep all the security on the server side of this problem. You are trying to control access to a database on a network so don't let people access the database directly. Have your program access a server program which regulates information to the database according to where the connection comes from. The database doesn't need to be accessible through the network. Perhaps using IP addresses, usernames or MAC address to idenitify logins.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39915910
Server access is done at the web root level.  simple put the connection string above the root. Then only a privileged processed on the server can access the connection string and passes the handle to the app.  That allows full authentication to be on the server using sessions.

Cd&
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:VikingOnline
ID: 39916051
Hey guys,
Thank you for all your answers.

I'm glad it was not as strange question as I was afraid it would be. I guess it's a concern for many, both from security and from protecting your code. Luckily I'm sure nobody wants to steal my simple code.

Some of the answers are asp.net and folders on web.config and make sure that file is outside reach. This is for a web form and not asp.net.
0
 

Author Comment

by:VikingOnline
ID: 39916058
Tedbilly, yes, if you are in a domain environment then I can see Windows authentication working for protecting SQL. Although it would only be for SQL and still leave encryption keys for example. I guess you could put it into the SQL server and request them from there. But then I guess you could always "listen" on the network communication from the program etc.

But I guess you are at least making it a little more difficult to and the level of technical knowledge to decompile, read code, listen to network traffic is starting to be a lot. It's beyond a "normal user" so someone in the organization would need help from someone outside etc.
0
 

Author Comment

by:VikingOnline
ID: 39916063
Dennis Aries, I'm not sure if I follow. Somehow the first contact has to be made. That has to somehow identify you as someone to give a key to. If you know how to request for a key, you can just write your own program or something to send a request for the key. Or something I'm missing?
0
 

Author Comment

by:VikingOnline
ID: 39916071
ElrondCT, yeah I can see this being one solution. Obfuscation and if that also encrypt strings, that would make it a lot harder.
And I guess like Tedbilly says, unmanaged code makes it even harder. And at that stage you should be talking professional hackers and not just a hobby computer guy.
0
 

Author Comment

by:VikingOnline
ID: 39916077
Satsumo, OK, I see where you are going. That solves the SQL login as you just send information to a server service that can have all sort of validation before passing it on to SQL.

I guess it's a solution similar to the Windows authentication when it's outside a domain structure and outside a way to use Windows authentication.

I think writing a server service like that is a little outside my knowledge level, but at least I see where you are going with it.
0
 
LVL 12

Expert Comment

by:satsumo
ID: 39916415
You might consider using something like Node.js to simply the process of writing the server. This really isn't my area of expertise but its something I've thought about too.
0
 

Author Closing Comment

by:VikingOnline
ID: 39916543
Again, thank you for all your replies. I shared out the points to some of the suggestions.

In the end I guess it comes down to how big the need for protection is. For example a trading company that needs to comply with SSC regulations on information, or banks etc. etc. is in one far side of the scale, whilst on the other side of the scale could be some simple tools for the local sports team can be annoying if someone erases your data or mess up your systems but you'll get over it.

Professionally, domains and Windows based access can help a lot.
On smaller scale obfuscation and unmanaged code are your friends.
And depending on the situation, pushing something back to a central server could help keep something further away from end users.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now