Solved

.net protecting application secrets

Posted on 2014-03-08
14
414 Views
Last Modified: 2014-03-09
Hi Experts,
I have a maybe simple or maybe strange question.
I'm just looking for how is this normally dealt with, what is the practice?

For a Windows form application to access a SQL server, (or other things) it will need that login information available somewhere, somewhere also the user will have access to. At the same time you might not want everyone in your organization to have direct SQL access to your database. So you'll need to protect this type of information, even from the users.

At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".

Connection strings I assume you would often want to put into a separate file so it's easy to change, without having to re-compile and distribute your program. You can encrypt that in the file so it can't easily be read by anyone. But you need to keep the key to de-crypt it again somewhere. I'm guessing this would normally be kept in the code itself and not saved externally in plain text. (You can't encrypt the key used to de-crypt the same key.)

So if anyone can de-compile your .net code, read through the code and find the key (and salt value etc) they also know how to de-crypt the connection string.
Then how do you protect that "application secret"?

I can think of a few ways to try to deal with it.
-Tools to obscure your code (code obfuscation, I guess is the correct term) would make it more difficult to find the key, I guess?
-In terms of SQL login you move the security to the SQL server and limit the application user - can't login with Management Studio, can only run stored procedures etc.
-If other languages is harder to de-compile or disassemble, maybe create a .dll in for example C that handles the de-cryption?

So how do you normally protect information like encryption key etc?

Ronny
0
Comment
Question by:VikingOnline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 18

Expert Comment

by:Dennis Aries
ID: 39915139
A system we use is to hand out a random key on each initial contact that will be used for further data exchange. Therefor the first contact is virtually unencrypted but in result, no key is stored in either code or on the client side.
0
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39915149
Your question is neither simple nor strange.

Almost every developer want's their application hacker safe, the sad part is, it's no more than wishful thinking, especially for a .net application.

This may further enlighten you. http://stackoverflow.com/a/651375
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 84 total points
ID: 39915305
The only safe way to do this in an organization is to use Windows Integrated Authentication and ensure the application has the least privileges available to access stored procedures.  That way access is tied to their Windows domain account.

I work in computer security for a game company (I'm an ethical hacker) and used to work for a company that managed securities (shares) where insider theft of information was a serious issue.

ODBC passwords are always sent in the clear.  So, no matter what you do to encrypt the password on disk or in memory using whitebox cryptography, a malicious user can get it using Fiddler, Wireshark or a proxy.  SSL encrypts traffic to prevent 3rd parties from sniffing traffic, it won't protect a malicious client.

If there is code you want to protect you have to use unmanaged code (C++) and a solution from a 3rd party like Arxan or Denuvo (formerly part of Sony DADC) to add code obfuscation that is extremely difficult to decompile.  We've protected a triple A game for 45 days from the best hackers in the world, however eventually it can be defeated.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 26

Expert Comment

by:Alan Warren
ID: 39915742
Hi VikingOnline,
Re:
At the same time I understand it's relatively easy to de-compile any .net program and get back to something very close to the source code. So even things written in your code is not really "safe".
I didn't know that, I always assumed that if you define a named connection string in the site web.config that would be secure.
  <connectionStrings>
    <remove name="cnAspNet" />
    <add name="cnAspNet" connectionString="Data Source=tcp:sql2k805.somereputablehost.net;Initial Catalog=SQL2008R2_aspnet;Connect Timeout=15; pooling='true'; Max Pool Size=200;Persist Security Info=True;User ID=aspnet_user;Password=secret" providerName="System.Data.SqlClient" />
  </connectionStrings>

Open in new window

Then if you reference the connection string by name when initiating a transaction the detail of the connection string would be transparent.
                ' Create Instance of Connection and Command Object
                Using myConnection As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("cnAspNet").ConnectionString)
                  Using myCommand As New System.Data.SqlClient.SqlCommand("Rica_BookUpload_Ins", myConnection)

                    ' Mark the Command as a SPROC
                    myCommand.CommandType = System.Data.CommandType.StoredProcedure

                    ' Add Parameters to SPROC
                    ...
     
                    ' Populate parameter, @ID int = null output
                    Dim prmID As New System.Data.SqlClient.SqlParameter("@ID", System.Data.SqlDbType.Int)
                    prmID.Direction = Data.ParameterDirection.InputOutput
                    prmID.Value = intID
                    myCommand.Parameters.Add(prmID)


                    Try
                      ' Open the connection
                      myConnection.Open()

                      ' Execute the stored procedure
                        myCommand.ExecuteNonQuery()

                      End If


                    Catch SQLexc As System.Data.SqlClient.SqlException
                      Me.lblErrorMessage.Text = SQLexc.Message
                      Me.lblErrorMessage.Visible = True
                    End Try

                  End Using
                End Using

Open in new window

Respectfully yours,
Alan ";0)
0
 
LVL 20

Assisted Solution

by:ElrondCT
ElrondCT earned 83 total points
ID: 39915757
The better code obfuscation applications offer string encryption, so that there's no way to read the string by looking at the decompiled version of your source code. CodeFort actually offers it in its free version; Dotfuscator, Skater, and others that I know of include string encryption only in their paid versions. So with any of those, you can keep your encryption key itself encrypted.
0
 
LVL 12

Assisted Solution

by:satsumo
satsumo earned 83 total points
ID: 39915860
Some very good answer here. My idea would be to keep all the security on the server side of this problem. You are trying to control access to a database on a network so don't let people access the database directly. Have your program access a server program which regulates information to the database according to where the connection comes from. The database doesn't need to be accessible through the network. Perhaps using IP addresses, usernames or MAC address to idenitify logins.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39915910
Server access is done at the web root level.  simple put the connection string above the root. Then only a privileged processed on the server can access the connection string and passes the handle to the app.  That allows full authentication to be on the server using sessions.

Cd&
0
 

Author Comment

by:VikingOnline
ID: 39916051
Hey guys,
Thank you for all your answers.

I'm glad it was not as strange question as I was afraid it would be. I guess it's a concern for many, both from security and from protecting your code. Luckily I'm sure nobody wants to steal my simple code.

Some of the answers are asp.net and folders on web.config and make sure that file is outside reach. This is for a web form and not asp.net.
0
 

Author Comment

by:VikingOnline
ID: 39916058
Tedbilly, yes, if you are in a domain environment then I can see Windows authentication working for protecting SQL. Although it would only be for SQL and still leave encryption keys for example. I guess you could put it into the SQL server and request them from there. But then I guess you could always "listen" on the network communication from the program etc.

But I guess you are at least making it a little more difficult to and the level of technical knowledge to decompile, read code, listen to network traffic is starting to be a lot. It's beyond a "normal user" so someone in the organization would need help from someone outside etc.
0
 

Author Comment

by:VikingOnline
ID: 39916063
Dennis Aries, I'm not sure if I follow. Somehow the first contact has to be made. That has to somehow identify you as someone to give a key to. If you know how to request for a key, you can just write your own program or something to send a request for the key. Or something I'm missing?
0
 

Author Comment

by:VikingOnline
ID: 39916071
ElrondCT, yeah I can see this being one solution. Obfuscation and if that also encrypt strings, that would make it a lot harder.
And I guess like Tedbilly says, unmanaged code makes it even harder. And at that stage you should be talking professional hackers and not just a hobby computer guy.
0
 

Author Comment

by:VikingOnline
ID: 39916077
Satsumo, OK, I see where you are going. That solves the SQL login as you just send information to a server service that can have all sort of validation before passing it on to SQL.

I guess it's a solution similar to the Windows authentication when it's outside a domain structure and outside a way to use Windows authentication.

I think writing a server service like that is a little outside my knowledge level, but at least I see where you are going with it.
0
 
LVL 12

Expert Comment

by:satsumo
ID: 39916415
You might consider using something like Node.js to simply the process of writing the server. This really isn't my area of expertise but its something I've thought about too.
0
 

Author Closing Comment

by:VikingOnline
ID: 39916543
Again, thank you for all your replies. I shared out the points to some of the suggestions.

In the end I guess it comes down to how big the need for protection is. For example a trading company that needs to comply with SSC regulations on information, or banks etc. etc. is in one far side of the scale, whilst on the other side of the scale could be some simple tools for the local sports team can be annoying if someone erases your data or mess up your systems but you'll get over it.

Professionally, domains and Windows based access can help a lot.
On smaller scale obfuscation and unmanaged code are your friends.
And depending on the situation, pushing something back to a central server could help keep something further away from end users.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question