On Sun, 16 Jul 2006 00:37:01 -0700, Primera
<Pr*****@discussions.microsoft.comwrote:
>I have an application that will call some external applications during the
course of execution. Since the application will be running on its own
without user intervention I will have to store a username and password inside
the code of the application to run processes etc. What is the best way to do
this considering security? What is the best way to prevent someone from
reverse engineering the application and getting to the password? Thanks in
advance for any help.
You probably should not keep the password and username inside your
application, they should be in separate files. Keep them on disk, in
the registry, on a floppy (remember them?), removable USB memory stick
or on a different machine on the network so if the application is
compromised then the password is not necessarily compromised. The
floppy/USB options let you remove the password files completely and
lock them in a safe when they are not needed. Keeping them outside
the application allows the password to be changed more easily when the
external application changes its password - no need to recompile.
How secure do you want the password to be? It could be as simple as a
Caesar cypher, "password" becomes "rcuuyqtf" (shift each letter by
two). For something more secure store a random array of bytes of
sufficient length and also store password XOR random_bytes in a
different location. When you need the password just do another XOR
with the random bytes. Pick a new set of random bytes every so often,
or after so many uses, and re-encrypt the username and password files.
If you have a cryptographically secure random number generator
available then you should use that in preference to any standard PRNG.
Google "Yarrow" or "Fortuna" for two CSPRNGs.
For advice from real experts try asking on sci.crypt
rossum