473,322 Members | 1,241 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Protecting Password

I am developing an application which will allow users (students) to run
applications on PC's with elevated rights. This is necessary for some
applications which require Administrator rights on the PC.

I now need to store the local administrator username and password
somewhere where my application can read this from.

I am looking for comments on

1. Recommend place to store this data
2. How to encrypt the username and password
3. Given that c# can re easily decompiled and read the encryption could
be obtained so what protection could be given if any. No I dont want to
use a third party app that encodes the C# exe or dll.

Looking forward to comments.

Regards
Jeff
May 16 '07 #1
2 2466
On Tue, 15 May 2007 13:15:19 -0700, Jeff Williams
<je*******************@hardsoft.com.auwrote:
I am developing an application which will allow users (students) to run
applications on PC's with elevated rights. This is necessary for some
applications which require Administrator rights on the PC.
I've got to say, this sounds like a really bad idea to me, especially if
you think you cannot trust the students with the actual username and
password. If you provide any mechanism for the student to elevate his
privileges, you open the computer to attack. The student himself may find
a way to hijack the privilege elevation, or it could just be that the
process itself allows for privilege elevation by some malware or something.

There should be *no* application that isn't specifically involved with
administrating the computer that requires Administrator rights. For the
badly written software out there that does insist on doing things that
only Administrators are allowed to do, there are other ways around that.
In XP, this generally involves changing permissions for specific system
resources, but my understanding is that in Vista the OS can virtualize
areas of the computer to allow an application without administrator rights
to still work, without actually making system-wide changes (the changes
wind up just local to the user running the application).

That said, I'll attempt to offer what little I do know (while continuing
to discourage you from doing what you want to do :) )...
I now need to store the local administrator username and password
somewhere where my application can read this from.

I am looking for comments on

1. Recommend place to store this data
You're talking about encrypting the data, so it seems to me you ought to
be able to store it wherever you like. In the user's user.config file,
for example.
2. How to encrypt the username and password
If I recall, there's a whole crypto namespace in .NET you could use for
something like that, including being able to keep strings encrypted in
memory to make it harder to capture the data.
3. Given that c# can re easily decompiled and read the encryption could
be obtained so what protection could be given if any. No I dont want to
use a third party app that encodes the C# exe or dll.
Well, IMHO one important thing to keep in mind is that if the user has
software capable of decrypting and using the data, and that software will
run within that user's privileges, then there will always be *some* way
for that user to get at the data. Now, perhaps you can make it so hard
for the user to do so that it's just not worth it to them, but you can't
prevent it altogether. #1 rule for computer security: anything you hand
over to the user is no longer secure, no matter what you do to it.

It's possible that you could set up some sort of service that deals only
in encrypted data, and which somehow uses encrypted data to provide the
necessary user token needed to elevate your privileges. But if you have
that, then I suspect it would be vulnerable to a man-in-the-middle attack
whereby your user emulates the system you've set up to obtain such a token
directly.

I'm no security expert, and there may be some approach that Vista and/or
built-in components for .NET provides that would allow you to save
privilege-elevation data in a way that allows the user to take advantage
of it, but only with applications you've approved. But even if you
accomplish that, you've still opened a security hole. IMHO, it's just
better to avoid the whole problem in the first place. Don't run software
that requires admin rights when it's not actually administrating the
computer, and/or address the issue through careful manipulation of the
security permissions for system resources rather than just granted blanket
admin privileges to the user (even if you think you can accomplish it in
what appears to be a limited way).

Pete
May 16 '07 #2
On Wed, 16 May 2007 06:15:19 +1000, Jeff Williams
<je*******************@hardsoft.com.auwrote:
>I am developing an application which will allow users (students) to run
applications on PC's with elevated rights. This is necessary for some
applications which require Administrator rights on the PC.
Others have talked about the dangers of this.
>
I now need to store the local administrator username and password
somewhere where my application can read this from.

I am looking for comments on

1. Recommend place to store this data
How often does the data change? You can either store it, encrypted,
in the application code if it does not change much and you are
prepared to recompile as needed. If it changes more often then keep
it on disk or equivalent.

How secure do you want it? Is this critical enough to store on a USB
Stick in a locked safe?
>2. How to encrypt the username and password
Again how secure do you want it? How much cryptographic expertise do
you expect the students to have? How motivated will they be to break
the encryption? For example, does the password allow them access to
exam questions before the exam? C# includes AES (=Rijndael) which is
very secure or System.Security.SecureString, which encrypts its
contents. For a much simpler and much easier to break encryption just
use XOR. Whatever encryption you use there is still the problem of
where you store the decryption key.
>3. Given that c# can re easily decompiled and read the encryption could
be obtained so what protection could be given if any. No I dont want to
use a third party app that encodes the C# exe or dll.
You must avoid having the password (or the key to decrypt the
password) in clear text in your source.

A simple example using XOR encryption:

static string ReadCodedPassword() {
// Should be read from disk.
return "elephant";
}

static byte[] ReadDecryptionKey() {
// Should be read from disk.
byte[] key = {0x16, 0x1D, 0x10, 0x19, 0x1A, 0x13, 0x0B, 0x18};
return key;
}

static string DecryptPassword(string cyphertext) {
byte[] key = ReadDecryptionKey();
StringBuilder sb = new StringBuilder(cyphertext);
for (int i = 0; i < sb.Length; ++i) {
sb[i] = (char)(key[i] ^ sb[i]);
}
return sb.ToString();
}

static void Main() {
string codedPassword = ReadCodedPassword();
Console.WriteLine("The secret password is: {0}",
DecryptPassword(codedPassword));
}

No, the secret password is not "elephant". You will have to run it to
see.

rossum
>
Looking forward to comments.

Regards
Jeff
May 16 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: M.C. Radhakrishnan | last post by:
Hi, I need to provide a facility to do routine database administration (backups, etc.) without allowing the logged in user to modify the data in any of the SQL server tables. Is there any way...
6
by: Nate A | last post by:
I am at the beginning stages of writing a massive database-connected business management application using the .NET framework and am becoming worried about the security of the application upon...
3
by: netsurfer | last post by:
hi..I'm working on a project that requires files to be password protected on a UNIX based site. The people that own the web site want to be able to change the password every so often. ...
3
by: Robizzle | last post by:
I write a simple php script where I can post news to my website. There is an html page (makenews.html) that has forms for username (in this example it is 'admin'), password (in this example it is...
8
by: Iain Napier | last post by:
I'm in the middle of developing a website with a downloads section. It's a wad of educational software for an LEA which for obvious reasons needs password protecting. Users have to authenticate...
21
by: solomon_13000 | last post by:
I am using ms access database and asp 3.0 as my front end. In my database there is a table called account and a field called password. How do I protect the password stored in the database.
1
by: darrel | last post by:
I need to be able to password protect individual pages. For instance: /protected.aspx?id=123 /protected.aspx?id=555 Both would need to be only accessible to two different people (with their...
3
by: Porkie999 | last post by:
-----------------------------------------------------------------------QUESTION hi i am really stuck with this and its only a small problem. i want to be able to type ......... dsfsjfjsjjfs in...
8
djsjm
by: djsjm | last post by:
Hello again. So I googled myself into finding this code: <?php // Define your username and password $username = "someuser"; $password = "somepassword"; if ($_POST != $username || $_POST...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.