Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm working on a windows desktop application (WPF) written in C# that download some files from a server at each startup. These files play a huge role in making the application work.
I would like to protect the content of these files with some form of encryption such as AES. These files should remain encrypted even when they are read by the application. So I am looking for a way to decrypt the files on the fly when they are being accessed by the application. In other words, only the application could understand the files but if users open them with other programs, they will be encrypted still.
It would be great if you could share some ideas or articles about the implementations. Thanks!
Edit 1:
The application make use of CefSharp to browse the HTML/JS/CSS files that are downloaded from the server at each startup.
Edit 2: I'm trying to implement something like TrueCrypt.
Edit 3: I would like to how to do what TrueCrypt can do. It encrypts the files and the encrypted files can be opened by any program normally because it decrypts them on the fly whenever the file are opened. I need this because I want to protect the HTML/JS/CSS files loaded by my application's embedded browser (CefSharp).
You need to realize that you cannot prevent users from accessing your unprotected files on an open platform like the PC. That is what DRM tries to achieve for decades now, however this goal is unachievable by definition.
The only thing you can do is to make it harder / more cumbersome to access the unprotected files, however in the end, if someone decides to put enough effort into circumventing your protection, she or he will always succeed.
For instance, you may obfuscate your source files (by dedicated obfuscators or simply by minimizing them), you can use some non-standard file encoding (reverse of base64) or you may use some kind of encryption method. Because you need to ship your key as well, any encryption method will do, no matter how secure or insecure it is.
Finally, as others have already mentioned, the crypto primitives are located in the System.Security.Cryptography namespace. Note however that for security sensitive systems I would not recommend to use them directly, because there are many nuances and getting it right is actually quite hard. You should have a look at libraries like SecurityDriven.Inferno, which wrap the crypto primitives with secure defaults.
You should use the System.Security.Cryptography Namespace of the .NET-Framework.
Here and here you'll find two examples you can use.
Note: First, you have to read the content of the file AS BYTES[] using a FileStream or System.IO.File.ReadAllBytes. And you have to implement your KEY - which means it is hardcoded in your application and can be found using a decompiler!
So, it is almost impossible to prevent the user from reading the data.
As Thomas said, using System.Security.Cryptography is the best way to encrypt data. However you'll need to include the cryptography keys in the client application and it is very easy for anyone with access to this application to extract the keys.
You're probably better off not wasting your time encrypting the files.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have a number of projects developed in WinForms. Despite looking around on SO and other areas I've not really found a satisfactory answer.
The projects make use of the app.config and are deployed to multiple users using ClickOnce. Each physical install on a users machine will have both the deployed application as well as the app.config. The app.config holds credentials for a restricted account for a database.
Is it possible to encrypt data such as credentials for a Db connection in WinForms that is deployed to the masses? Some users work on laptops offsite, so a network connection wont always be available. I'm just trying to find out what the best practices are for securing a WinForms application might be in this scenario.
Of course you can save the credentials as an encrypted string in your app.config. SO provides some good examples on how to use the System.Security.Cryptography.Rijndael symetric algorithm.
This of course requires the same key to encrypt and decrypt the data. That key will be stored in the source code, and .NET sourcecode is not really save, everyone with the ability to use google and use a program with more than one button will be able to find it in the decompiled code and thus, it's only slightly more safe than just having the password not encrypted.
Most important is, that the credentials your app uses to access the database are only allowed to do what the app needs, so not like using SQL Management Studio to oben the DB and being able to reconfigure everything (Saw that once at a customer).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have a question about changing an variable of an application from another application.
For example: If in 1.exe I have defined string a="a", how will I be able to change a="a" to a="b" by using another application?
Do I have to get the memory address of string and then change it's content to b? Or Is there any another easier way?
You can set up a shared resource for the two applications and read the values from there. It could, be a database, cache or even a simple text file.
Refresh the variables from the shared resource when appropriate.
Given the scenario you have mentioned (i.e. you do not control the code for the 1st application).. The general idea of opening the target process with admin privileges, finding the memory location you want to update, and then updating it applies..
However, be warned that it will generally not be that simple. For example,
It can be extremely hard to predict, how many copies, of the variable are maintained by the applications logic, and where?
Without disassembling the code (no way a trivial task.. none of this is), scanning for the value and guessing the memory location is the only option which comes to mind. But it has the risk of making wrong guesses, and corrupting the entire process.
PS - There are freely available software, which attempt to do exactly what I've described above.. I'd advise that you try to examine how they work (scenarios they support), to get better idea of what you are trying to accomplish.
PPS - Also be careful what you download.. Applications like these, if downloaded from un-reliable sites, can be damaging / security risk.
I think the easiest way is communication with network sockets in localhost via UDP or TCP. It gives you a good event mechanism so you can easily handle your data without checking the new data changes frequently, also will be doesn't matter how amount of application communicating each other in same time. Other solutions like shared memory etc. will be hard to control especially when you running three and more apps.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I have a couple of machines in the house which each have varying amounts of disk space, and i would like to make these accessible via an S3 compatible API. I have found many tools that will convert S3 into an SMB file share or into a Windows/Linux/OSX drive, but nothing that does it the other way around.
Are there any examples of implementing an S3 compatible API that uses a disk or file share as a backing store? I am not too worried about redundancy (have already looked at OpenStack, but for my needs it seems over kill). I'm a .NET Dev, so C# code would be preferable, but even code in another language to see how to implement a compatible API may help.
[Clarification: I know lots of people are looking at moving their storage out of house and use S3 as one of the main storage systems, but some of our clients need the data stored in house due to legal reasons or speed issues. Implementing something that would use the same API for either S3 or an In-house system, backed by a SAN, would be handy.]
I found the following Java based project, s3proxy, which proxies S3 requests to a few different providers, file system included. I have not fully tried it out yet, but its a start to where i want to go, meaning i dont have to manage my own API and keys for storage...
I understand the reasons for you doing this but I urge caution.
Rather than using the S3 as an interface to storage in your application, I'd suggest that create an abstract API that will act as the interface to storage. In this way you can create any adaptor underneath that will connect to any sorge API you like - local disk/remote disk/db/S3/Azure etc etc.
This I believe is a better architectural pattern than the one you're proposing. The Beauty is many fold. The first is that you get your 'I don't care where storage is' code. The second is that you've freed yourself from the constraint OF S3 as you can add any feature you like on top of S3 without your code being affected. Another benefit is that you can probably find good pre written code for all the different stores you want to work with.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
If you are copying many folders with files inside it can be usually better to just create a ZIP/RAR with the folder and files, copy it to network path and unzip it. This usually works much faster than copy paste
Is there a way to do this programatically and embed it into windows so that It can try to detect which way is faster and use that one (normal way or "compress on the fly") to improve speed
"compression on the fly" is a waste unless there is something on the other end that can perform the decompress OR if the compressed state is acceptable. That said:
Yes, you can write an app that zips/rars files.
Yes, you can have that app copy the zip/rar to a network directory.
Yes, you can have an app on the other end wait for the file and unzip it locally...
Can you have it detect "which way is faster"?? Although possible it is unlikely to be of benefit for anything other than large files... at which point you should always zip/rar and transfer...which would make the entire exercise rather pointless. Of course, you should probably evaluate the data that is likely to be transferred using your app to see if it is even a candidate for compression. Video, for example, might not be...
More to the point here, each end would have to have an application that is aware of each other (or at least the protocols involved). One app (we'll call it the client) would zip and post the file to another app (we'll call that one the server). When the server receives the file it would unzip it and store it on the file system.
update
I thought of another situation for zipping: transferring LOTs of little files at one time. Normal network file copy routines go much faster for a single large file vs lots of little files. So, if they are selecting a few hundred files to go at once you might be better off always zipping. Which, incidentally, doesn't change the requirement of having something on the other side able to decompress it.
Have you tried using robocopy ? It's built-in on Windows, robust, multi-threaded and features a lot of options, including mirroring and retries in case of failure. I use it with all copy to network locations. Give it a try.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
First of all, I understand that almost all applications can be cracked (especially written in C#). My question here is to make it a little bit harder to crack.
Suppose that the user has saved the License file under the Application.StartupPath, where all users can read.
And then, every time when the application starts, it will check if it can find and verify the license file.
If the application can find and verify, we let the user to continue with full functionalities.
If not, we prompt a MessageBox showing "Unlicensed, continue to use with trial version, functionalities limited."
My question is, if I'm a hacker/cracker, I would try to get around or bypass the licensing check instead of cracking the license file, because, if we use RSA signature, it's very difficult to crack a license file.
So where should we put the license check?
P.S.: and also, is it safe if I put a global variable IsLicensed (true / false) to limit the functionalities? Is it easy for a hacker to change IsLicensed = true?
The #1 law of software licensing: You don't control your software once you allow it to be installed on a computer you don't control.
If you want to keep control over your code, you need to make it a web service and give the end user just a thin client that interfaces to that web service.
In many scenarios, this is unacceptable, because users want to be able to use their software even when they don't have an internet connection.
In almost all cases, you should focus on making the user experience better, and all forms of copy protection make it worse instead. Once you get to the point where the experience of downloading from a warez site and running it through several virus scans is better than doing the license setup for the legit version, you've lost.
You can obfuscate the code (make it harder to decompile/use the reflector on it), but with enough energy and knowledge, it will get broken, after that it's quite easy to change the bytecode of the assembly, thus circumventing the license check. Also, you could invest the money to make it possible for you to sign your assemblies, which would make it harder to change the assembly itself, but with enough energy (more than just breaking the obfuscation) this can also be circumvented.
Your goal shouldn't be to make the license process unbreakable, but to make your software itself worth to buy. This is a much better protection. Crackers (and only them, hackers are something completely different, see this article for more) won't be hindered by that, but with the software being worth it, much more people would buy it.
I think that check should be done in several different places in the source code; it is much harder to catch all of them than only one. Also, if wants to protect program written in C# (or any other .NET language), one should consider to use some obfuscator. In counterpart a cracker or even lamer will be able to crack a program using some software like .NET Reflector
As mentioned previously, one can simply use .NET reflector to get the entire source code of your software (in fact, it can even get it in VB.NET or other languages even if you're written it in C#!). You must obfuscate your assembly if you hope to have even a chance at slowing a cracker's progress.
What is to stop people from directly copying licenses? If you have a license which is signed, it will then just be signed in two places -- what have you put in place to stop this? Never mind whether a global variable would further weaken your protection without taking into account trivial "cracks."
There really is no good answer to this as Ben Voigt pointed out. If you need something that is uncopyable, make it a closed-source web application. Astalavista will show you that most things have been cracked. Adobe products which cost thousands of dollars have been cracked and I'm sure their employees are quite well versed in copy protection techniques.