.net protecting application secrets

Posted on 2014-03-08
Last Modified: 2014-03-09
Hi Experts,
I have a maybe simple or maybe strange question.
I'm just looking for how is this normally dealt with, what is the practice?

For a Windows form application to access a SQL server, (or other things) it will need that login information available somewhere, somewhere also the user will have access to. At the same time you might not want everyone in your organization to have direct SQL access to your database. So you'll need to protect this type of information, even from the users.

At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".

Connection strings I assume you would often want to put into a separate file so it's easy to change, without having to re-compile and distribute your program. You can encrypt that in the file so it can't easily be read by anyone. But you need to keep the key to de-crypt it again somewhere. I'm guessing this would normally be kept in the code itself and not saved externally in plain text. (You can't encrypt the key used to de-crypt the same key.)

So if anyone can de-compile your .net code, read through the code and find the key (and salt value etc) they also know how to de-crypt the connection string.
Then how do you protect that "application secret"?

I can think of a few ways to try to deal with it.
-Tools to obscure your code (code obfuscation, I guess is the correct term) would make it more difficult to find the key, I guess?
-In terms of SQL login you move the security to the SQL server and limit the application user - can't login with Management Studio, can only run stored procedures etc.
-If other languages is harder to de-compile or disassemble, maybe create a .dll in for example C that handles the de-cryption?

So how do you normally protect information like encryption key etc?

Question by:VikingOnline
LVL 18

Expert Comment

by:Dennis Aries
ID: 39915139
A system we use is to hand out a random key on each initial contact that will be used for further data exchange. Therefor the first contact is virtually unencrypted but in result, no key is stored in either code or on the client side.
LVL 27

Expert Comment

ID: 39915149
Your question is neither simple nor strange.

Almost every developer want's their application hacker safe, the sad part is, it's no more than wishful thinking, especially for a .net application.

This may further enlighten you.
LVL 51

Accepted Solution

Ted Bouskill earned 84 total points
ID: 39915305
The only safe way to do this in an organization is to use Windows Integrated Authentication and ensure the application has the least privileges available to access stored procedures.  That way access is tied to their Windows domain account.

I work in computer security for a game company (I'm an ethical hacker) and used to work for a company that managed securities (shares) where insider theft of information was a serious issue.

ODBC passwords are always sent in the clear.  So, no matter what you do to encrypt the password on disk or in memory using whitebox cryptography, a malicious user can get it using Fiddler, Wireshark or a proxy.  SSL encrypts traffic to prevent 3rd parties from sniffing traffic, it won't protect a malicious client.

If there is code you want to protect you have to use unmanaged code (C++) and a solution from a 3rd party like Arxan or Denuvo (formerly part of Sony DADC) to add code obfuscation that is extremely difficult to decompile.  We've protected a triple A game for 45 days from the best hackers in the world, however eventually it can be defeated.
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

LVL 26

Expert Comment

by:Alan Warren
ID: 39915742
Hi VikingOnline,
At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".
I didn't know that, I always assumed that if you define a named connection string in the site web.config that would be secure.
    <remove name="cnAspNet" />
    <add name="cnAspNet" connectionString="Data;Initial Catalog=SQL2008R2_aspnet;Connect Timeout=15; pooling='true'; Max Pool Size=200;Persist Security Info=True;User ID=aspnet_user;Password=secret" providerName="System.Data.SqlClient" />

Open in new window

Then if you reference the connection string by name when initiating a transaction the detail of the connection string would be transparent.
                ' Create Instance of Connection and Command Object
                Using myConnection As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("cnAspNet").ConnectionString)
                  Using myCommand As New System.Data.SqlClient.SqlCommand("Rica_BookUpload_Ins", myConnection)

                    ' Mark the Command as a SPROC
                    myCommand.CommandType = System.Data.CommandType.StoredProcedure

                    ' Add Parameters to SPROC
                    ' Populate parameter, @ID int = null output
                    Dim prmID As New System.Data.SqlClient.SqlParameter("@ID", System.Data.SqlDbType.Int)
                    prmID.Direction = Data.ParameterDirection.InputOutput
                    prmID.Value = intID

                      ' Open the connection

                      ' Execute the stored procedure

                      End If

                    Catch SQLexc As System.Data.SqlClient.SqlException
                      Me.lblErrorMessage.Text = SQLexc.Message
                      Me.lblErrorMessage.Visible = True
                    End Try

                  End Using
                End Using

Open in new window

Respectfully yours,
Alan ";0)
LVL 20

Assisted Solution

ElrondCT earned 83 total points
ID: 39915757
The better code obfuscation applications offer string encryption, so that there's no way to read the string by looking at the decompiled version of your source code. CodeFort actually offers it in its free version; Dotfuscator, Skater, and others that I know of include string encryption only in their paid versions. So with any of those, you can keep your encryption key itself encrypted.
LVL 12

Assisted Solution

satsumo earned 83 total points
ID: 39915860
Some very good answer here. My idea would be to keep all the security on the server side of this problem. You are trying to control access to a database on a network so don't let people access the database directly. Have your program access a server program which regulates information to the database according to where the connection comes from. The database doesn't need to be accessible through the network. Perhaps using IP addresses, usernames or MAC address to idenitify logins.
LVL 53

Expert Comment

ID: 39915910
Server access is done at the web root level.  simple put the connection string above the root. Then only a privileged processed on the server can access the connection string and passes the handle to the app.  That allows full authentication to be on the server using sessions.


Author Comment

ID: 39916051
Hey guys,
Thank you for all your answers.

I'm glad it was not as strange question as I was afraid it would be. I guess it's a concern for many, both from security and from protecting your code. Luckily I'm sure nobody wants to steal my simple code.

Some of the answers are and folders on web.config and make sure that file is outside reach. This is for a web form and not

Author Comment

ID: 39916058
Tedbilly, yes, if you are in a domain environment then I can see Windows authentication working for protecting SQL. Although it would only be for SQL and still leave encryption keys for example. I guess you could put it into the SQL server and request them from there. But then I guess you could always "listen" on the network communication from the program etc.

But I guess you are at least making it a little more difficult to and the level of technical knowledge to decompile, read code, listen to network traffic is starting to be a lot. It's beyond a "normal user" so someone in the organization would need help from someone outside etc.

Author Comment

ID: 39916063
Dennis Aries, I'm not sure if I follow. Somehow the first contact has to be made. That has to somehow identify you as someone to give a key to. If you know how to request for a key, you can just write your own program or something to send a request for the key. Or something I'm missing?

Author Comment

ID: 39916071
ElrondCT, yeah I can see this being one solution. Obfuscation and if that also encrypt strings, that would make it a lot harder.
And I guess like Tedbilly says, unmanaged code makes it even harder. And at that stage you should be talking professional hackers and not just a hobby computer guy.

Author Comment

ID: 39916077
Satsumo, OK, I see where you are going. That solves the SQL login as you just send information to a server service that can have all sort of validation before passing it on to SQL.

I guess it's a solution similar to the Windows authentication when it's outside a domain structure and outside a way to use Windows authentication.

I think writing a server service like that is a little outside my knowledge level, but at least I see where you are going with it.
LVL 12

Expert Comment

ID: 39916415
You might consider using something like Node.js to simply the process of writing the server. This really isn't my area of expertise but its something I've thought about too.

Author Closing Comment

ID: 39916543
Again, thank you for all your replies. I shared out the points to some of the suggestions.

In the end I guess it comes down to how big the need for protection is. For example a trading company that needs to comply with SSC regulations on information, or banks etc. etc. is in one far side of the scale, whilst on the other side of the scale could be some simple tools for the local sports team can be annoying if someone erases your data or mess up your systems but you'll get over it.

Professionally, domains and Windows based access can help a lot.
On smaller scale obfuscation and unmanaged code are your friends.
And depending on the situation, pushing something back to a central server could help keep something further away from end users.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question