Is there any way, using C#, to monitor a specific file then change its contents before it is read by specific applications?
Here is the situation:
I have a Windows 2003 Server running ASP.NET with a configuration file (xml) which contains LDAP information. I want to have the LDAP password encrypted. I'm trying to devise a way to monitor that file, and whenever it is read, decrypt the LDAP password and pass that to whatever is reading it. Is there any way to tell which program is doing the read? I aldready have the encrypt/decrypt working but it is built into the ASP.NET installation; I would like to make it external. The encrypt/decrypt is RSA using key's from the key store.
If you want the encrypt/decrypt external to your main application, what about creating a separate .dll or webservice that does that. Then your call in your ASP.NET application is to your webserice or .dll.
Something like (Warining: Not Compiled- you'll need to clean this up)
WebServiceInstance instance = new WebServiceInstance();
string password = instance.PerformGetPassword();
Then, your ASP.NET service is unaware of the encrypted password at all. Additionally, if you have other applications which need to access the same file, they can call the same webservice.
I think this would be much better accomplished by using NTFS permissions on the file. Grant access only to certain users/groups, and ensure that any process requiring access to the secured data is running under the security context of a user that has the correct ACL permissions.
Related
Ok, I'm asking a rather generic question to a specific problem. I have searched this in more ways than I can count, and nothing seems to work. Let me explain my need and then I'll mention a few of the best solutions I've found and why they don't work in my case.
I have an application that a user launches and uses to set up various configuration values that are saved into an app.config file. This is a WPF application. Specifically, some of this data are HIGHLY sensitive.
This data needs to encrypted and subsequently decrypted by a Windows Service that will be launched by the application once the configuration step is finished. The general solution given for this scenario is to use DPAPI, which has two modes for encryption: User and Local Machine.
If you use User-level encryption, your application will encrypt and decrypt data as much as it desires, as long as the current user that initially encrypts the data is doing the decryption. My problem is that when the service is started, it also restarts on reboots and will specifically be running under a different user account.
The next approach, using DPAPI, is to encrypt the data as the Local Machine. This means that when ANYONE logs into the machine can decrypt the sensitive data. This is a BIG no-no!
What I need is to have a way for a user to specify the data he wants to encrypt and then specify an account (in this case, what will be the service account) and use it for data encryption.
I can't find how to do this. This MSDN article alludes that can be done. (See section 'Web Farm Scenarios'.) The TL;DR on that article is that for ASP.Net applications, you can use the RsaProtectedConfigurationProvider to encrypt your data, and export the keys to be used with a specific web account. This is close to what I want, but in my case I need to create the data in a WPF application and store it to be used in a Windows Server Service.
How can this be done?
You can accomplish something similar to this using something as mundane as EFS, but unlike raw DPAPI, a recovery key might bypass the protection. In either case, a local admin could replace your program with his own and it would have full access to the decrypted data.
As for setting this up, the easiest way to do that would be to interactively log on with the service account and either create the protected data using System.Security.Cryptography.ProtectedData or create a file in a directory marked with the "encrypt" attribute.
Use the account name as the salt for your encryption, decyption should use the logged in account name as the salt to decrypt.
i have a suggestion , you can create User group add required users into that group. And encrypt and decrypt data only if user is part of that group using second method.
I have a desktop application where I need to connect to a MySQL database and send some emails using the SMTP protocol and to perform this, I need the database password and SMTP login somewhere and the application be able to read it at runtime. But how does the real world's .NET applications protect that information? What kind of protection do they use? I was considering to encrypt my own settings file, such as an encrypted XML file which gets decrypted at runtime. But even so, I must have the key to decrypt it somwehere in the source cod.
The short answer is you can't. Every string you write in your appconfig file or constant in your code should be considered like a public information. This is particularly true for .Net application.
For database, the best ways to go is using Integrated Security to delegate this task to Windows, using a public user who have only the right your application need, or using a Web Service (maybe with WCF) to prevent direct exposition of your database.
You could also let each users configure theses connection string on the first startup, then encrypt and store them in his settings with something like Windows Data Protection and the ProtectedData Class or rely on traditional network protection strategy.
We are creating an application with WPF that will be used by our clients to do calculations.
We need certain data in order to be able to do the calculations. This data should not be accessible by the clients. This data can be stored in an XML file.
We also want to be able to control who uses the application. We planed to do this via a license file that specifies how Long the application may be used.
We wanted to encrypt the file with the data and with the license file so that the users cannot open them.
My problem is that I need to store the encryption key somewhere.
When I hard code this key into the application it can be discovered via decompilation.
Is it possible to save the encryption somewhere without the user being able to access this? Where could I save this key?
Do some libraries exist to achive this?
Check Rihino licencing project.
If all data is on the client and nothing is validated from a server, there is always a way to hack your client application. You should instead make a service that does the calculations and the wpf application is just a thin client that access the server and within each request the client license is provided and validated if the client still has access to the service.
You can use obfuscation to protect your code from being reverse engineered. Check this link from MSDN.
You can still store the key on a distant server / on a website.
Or you can move your whole method server-side using Litecode, here is an open source project written by 'debug-hf' which will help you figuring out how to do so.
I am looking for simple file encryption method for .NET 2.0 similar to File.Encrypt but that will allow access to all the users that have administrative privileges on the system.
I would like not to use any symmetric/asymmetric encryption because of key management hassle that comes with it.
Is there any Windows OS API that can encrypt file and have transparent access for administrative users?
Please provide code example or link to example if it's .NET method.
What you are asking for is well suited to be handled by an ACL.
On windows, this means you just put the unencrypted file in a folder where only administrative users (or users of a specific role) have access to, by setting appropriate owner and read/write permissions.
Encryption always requires a key, somewhere, somehow.
EDIT: you can set access permissions programmatically after saving the file. Any file read (even File.ReadAllLines() and the like) will simply fail if the application was started by a user without the necessary roles.
I have a C# application that comes with an app.config file. The application is built on a build server and deployed to multiple users.
I'd like to encrypt the app.config, but I'm not sure about when to do so: If I do it straight after the build, won't the encryption depend on the build server credentials? How can the application decrypt on other machines? If I do the encryption on the users machine, won't this leave time when the app.config is unprotected?
Thanks
Edit:
I was considering using DPAPI. It uses the user's credentials to encrypt and decrypt. This is why I think I might have a problem delivering an encrypted file to the users.
I just read the addition to your post, and I don't think you actually need encryption at all...
You say that you intended to use a system that would encrypt/decrypt based on the user's credentials. That means two things:
You don't encrypt during build; you can't use this sort of system during build, for the reasons yoy noted.
You seem to be OK with the users having access to the data. In that case, you should not be using configuration at all, but you should be prompting them for login info (perhaps saving it securely afterward to reuse) or just using their Windows/domain logins.
Either way, you don't need to encrypt the file to protect it... you simply need to store the login info, or other config info, as user settings, rather than configuration, which is readable to all users.