473,325 Members | 2,860 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Best practice for "hiding" secrets

Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or
reflecting etc.
Jul 21 '05 #1
10 2010
This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest).
Instead, have your apps connect to a component that establishes a connection
and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my
clients' sites. Some accept this change, some fight it. Just have to ask
yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting) involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or reflecting etc.

Jul 21 '05 #2
thank you Keith for your reply.

what you say is not a practical solution, we could easly be discussing the
way that 'component' connects to the database (the web-application is not so
different than any other component except for the channel it uses or being
in the DMZ)....

Picho

"Keith" <css@NO_SPAM_ConsultWithUs.com> wrote in message
news:OF*************@TK2MSFTNGP12.phx.gbl...
This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest). Instead, have your apps connect to a component that establishes a connection and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my clients' sites. Some accept this change, some fight it. Just have to ask
yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging

or
reflecting etc.


Jul 21 '05 #3
This is what aspnet_setreg was created for.

See this article:
http://msdn.microsoft.com/library/de...itysection.asp

The idea is to store your credentials in a registry setting, in an encrypted
format. Even if someone gets your app, they don't get the registry. You
can set ACLs on the registry keys to prevent anyone outside the network from
getting the encrypted credentials. There is a utility already in existence
to allow system admins to encrypt the credentials and store them into the
correct spots, and your config files can pull the credentials without many
code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting) involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or reflecting etc.

Jul 21 '05 #4
Understood, but that is why you have obfuscators and MD5, etc. It's a lot
safer in if you get the goodies out of an ASP file.

We also use the method Nick suggests with mixed results. If you go this
route, make sure you use accounts that do not expire automatically. If this
is not an option then be sure to change these passwords before they expire
(reminder in Exchange)
"Picho" <SP********@telhai.ac.il> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
thank you Keith for your reply.

what you say is not a practical solution, we could easly be discussing the
way that 'component' connects to the database (the web-application is not so different than any other component except for the channel it uses or being
in the DMZ)....

Picho

"Keith" <css@NO_SPAM_ConsultWithUs.com> wrote in message
news:OF*************@TK2MSFTNGP12.phx.gbl...
This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest).
Instead, have your apps connect to a component that establishes a

connection
and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my
clients' sites. Some accept this change, some fight it. Just have to ask yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code,

encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention
to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything embedded (hard coded) in the code can be extracted by means of

debugging or
reflecting etc.



Jul 21 '05 #5
This is not an uncommon approach at all and there are several reasons why
this is a good way to go.

First, the UI could be running on a public machine and the component could
be running on a secure machine (which sits behind a firewall). This
prevents the component from the vulnerabilities of a public machine.

Second, by having your data access layer in its own component, no other part
of the application knows anything about where the data comes from or how to
obtain it. This is beneficial in case that code were to get hacked.

-Scott
"Picho" <SP********@telhai.ac.il> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
thank you Keith for your reply.

what you say is not a practical solution, we could easly be discussing the
way that 'component' connects to the database (the web-application is not so different than any other component except for the channel it uses or being
in the DMZ)....

Picho

"Keith" <css@NO_SPAM_ConsultWithUs.com> wrote in message
news:OF*************@TK2MSFTNGP12.phx.gbl...
This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest).
Instead, have your apps connect to a component that establishes a

connection
and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my
clients' sites. Some accept this change, some fight it. Just have to ask yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code,

encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention
to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything embedded (hard coded) in the code can be extracted by means of

debugging or
reflecting etc.



Jul 21 '05 #6
Agree with Nick. If you want to further customize aspnet_setreg for your own
configuration settings, you have a sample here:

http://weblogs.asp.net/hernandl/arch...InConfigs.aspx
--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Nick Malik" <ni*******@hotmail.nospam.com> wrote in message
news:JtMRc.274437$Oq2.260080@attbi_s52...
This is what aspnet_setreg was created for.

See this article:
http://msdn.microsoft.com/library/de...itysection.asp
The idea is to store your credentials in a registry setting, in an encrypted format. Even if someone gets your app, they don't get the registry. You
can set ACLs on the registry keys to prevent anyone outside the network from getting the encrypted credentials. There is a utility already in existence to allow system admins to encrypt the credentials and store them into the
correct spots, and your config files can pull the credentials without many
code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging

or
reflecting etc.


Jul 21 '05 #7
"Picho" <SP********@telhai.ac.il> wrote
Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting) involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.


The DPAPI stuff is pretty good for a wide variety of problems along this
line. It doesn't cover all the possible cases, but certainly many of 'em.

The ASP.NET Security guide has an excellent overview of DPAPI.
--
Chris Mullins
Jul 21 '05 #8
thank you guys for the lead, it is very helpful.

just to see if i get it right:
we use a tool (aspnet_setreg) that uses an API func (CryptProtectedData) to
encrypt the un/pwd.

2 questions:

1. assuming that this encryption is role-based and in our case the ASPNET
user account, only the same user can decrypt the information?
2. if 1 is true, do we know of a way to impersonate as ASPNET in order to
decrypt this inforamtion? i am basicly asking how safe is this method.

thank you again

Picho
"Hernan de Lahitte" <he****@lagash.com> wrote in message
news:uX**************@TK2MSFTNGP12.phx.gbl...
Agree with Nick. If you want to further customize aspnet_setreg for your own configuration settings, you have a sample here:

http://weblogs.asp.net/hernandl/arch...InConfigs.aspx

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.
"Nick Malik" <ni*******@hotmail.nospam.com> wrote in message
news:JtMRc.274437$Oq2.260080@attbi_s52...
This is what aspnet_setreg was created for.

See this article:

http://msdn.microsoft.com/library/de...itysection.asp

The idea is to store your credentials in a registry setting, in an

encrypted
format. Even if someone gets your app, they don't get the registry. You
can set ACLs on the registry keys to prevent anyone outside the network

from
getting the encrypted credentials. There is a utility already in

existence
to allow system admins to encrypt the credentials and store them into the correct spots, and your config files can pull the credentials without many code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code,

encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention
to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything embedded (hard coded) in the code can be extracted by means of

debugging or
reflecting etc.



Jul 21 '05 #9
Answers:
1. assuming that this encryption is role-based and in our case the ASPNET
user account, only the same user can decrypt the information? 1) This tool (aspnet_setreg) uses the DPAPI "LocalMachine" mode so the key
material will be bind to that particular machine (not the user account of
the process)

2) Not apply because of 1).

Note: aspnet_setreg does not use the "additional" entropy value that DAPI
accepts when working on LM mode so anyone with control of your machine (and
of course access to the registry key, that's why you should set a strong ACL
to this key) will be able to decrypt the data.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Picho" <SP********@telhai.ac.il> wrote in message
news:uG**************@TK2MSFTNGP09.phx.gbl... thank you guys for the lead, it is very helpful.

just to see if i get it right:
we use a tool (aspnet_setreg) that uses an API func (CryptProtectedData) to encrypt the un/pwd.

2 questions:

1. assuming that this encryption is role-based and in our case the ASPNET
user account, only the same user can decrypt the information?
2. if 1 is true, do we know of a way to impersonate as ASPNET in order to
decrypt this inforamtion? i am basicly asking how safe is this method.

thank you again

Picho
"Hernan de Lahitte" <he****@lagash.com> wrote in message
news:uX**************@TK2MSFTNGP12.phx.gbl...
Agree with Nick. If you want to further customize aspnet_setreg for your

own
configuration settings, you have a sample here:

http://weblogs.asp.net/hernandl/arch...InConfigs.aspx


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no

rights.

"Nick Malik" <ni*******@hotmail.nospam.com> wrote in message
news:JtMRc.274437$Oq2.260080@attbi_s52...
This is what aspnet_setreg was created for.

See this article:

http://msdn.microsoft.com/library/de...itysection.asp

The idea is to store your credentials in a registry setting, in an

encrypted
format. Even if someone gets your app, they don't get the registry. You can set ACLs on the registry keys to prevent anyone outside the
network
from
getting the encrypted credentials. There is a utility already in

existence
to allow system admins to encrypt the credentials and store them into

the correct spots, and your config files can pull the credentials without many code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
> Hi all,
>
> Lets say I have a "secret" I wish to "hide", lets say a database

password.
> For the more detailed problem, a web application/service that uses a
> connection string.
>
> all the solutions I came up with (embedding in code,
encrypting-decrypting)
> involve embedding the/another secret in the code. since my problem

cannot
> request a user intervention, I am at a stop.
>
> what will be the best way to avoid writing secrets in code or hiding

them
> anywhere else (registry, external files) while avoiding user

intervention
to
> retrieve the secret?
>
> Thanx,
>
> Picho
>
> P.S. - I am taking into consideration the axume that says that anything > embedded (hard coded) in the code can be extracted by means of debugging or
> reflecting etc.
>
>



Jul 21 '05 #10
Answers:
1. assuming that this encryption is role-based and in our case the ASPNET
user account, only the same user can decrypt the information? 1) This tool (aspnet_setreg) uses the DPAPI "LocalMachine" mode so the key
material will be bind to that particular machine (not the user account of
the process)

2) Not apply because of 1).

Note: aspnet_setreg does not use the "additional" entropy value that DAPI
accepts when working on LM mode so anyone with control of your machine (and
of course access to the registry key, that's why you should set a strong ACL
to this key) will be able to decrypt the data.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.

"Picho" <SP********@telhai.ac.il> wrote in message
news:uG**************@TK2MSFTNGP09.phx.gbl... thank you guys for the lead, it is very helpful.

just to see if i get it right:
we use a tool (aspnet_setreg) that uses an API func (CryptProtectedData) to encrypt the un/pwd.

2 questions:

1. assuming that this encryption is role-based and in our case the ASPNET
user account, only the same user can decrypt the information?
2. if 1 is true, do we know of a way to impersonate as ASPNET in order to
decrypt this inforamtion? i am basicly asking how safe is this method.

thank you again

Picho
"Hernan de Lahitte" <he****@lagash.com> wrote in message
news:uX**************@TK2MSFTNGP12.phx.gbl...
Agree with Nick. If you want to further customize aspnet_setreg for your

own
configuration settings, you have a sample here:

http://weblogs.asp.net/hernandl/arch...InConfigs.aspx


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no

rights.

"Nick Malik" <ni*******@hotmail.nospam.com> wrote in message
news:JtMRc.274437$Oq2.260080@attbi_s52...
This is what aspnet_setreg was created for.

See this article:

http://msdn.microsoft.com/library/de...itysection.asp

The idea is to store your credentials in a registry setting, in an

encrypted
format. Even if someone gets your app, they don't get the registry. You can set ACLs on the registry keys to prevent anyone outside the
network
from
getting the encrypted credentials. There is a utility already in

existence
to allow system admins to encrypt the credentials and store them into

the correct spots, and your config files can pull the credentials without many code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...
> Hi all,
>
> Lets say I have a "secret" I wish to "hide", lets say a database

password.
> For the more detailed problem, a web application/service that uses a
> connection string.
>
> all the solutions I came up with (embedding in code,
encrypting-decrypting)
> involve embedding the/another secret in the code. since my problem

cannot
> request a user intervention, I am at a stop.
>
> what will be the best way to avoid writing secrets in code or hiding

them
> anywhere else (registry, external files) while avoiding user

intervention
to
> retrieve the secret?
>
> Thanx,
>
> Picho
>
> P.S. - I am taking into consideration the axume that says that anything > embedded (hard coded) in the code can be extracted by means of debugging or
> reflecting etc.
>
>



Jul 21 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Amir S. | last post by:
Hi, I'm a newbie to C++ (2 weeks into the course). We were given this assignment to write some code that reads a set of integers (grades) from a file (filename passed by console), outputs them...
10
by: Jacob | last post by:
Is there a way to make a property of an inherited class invisible to the programmer? I know that using the keyword "new" allows you to create another property in the place of the existing one, but...
9
by: Picho | last post by:
Hi all, Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a connection string. all the solutions I...
10
by: FX | last post by:
I wanna publish a script on my site which allows me to hide image source. i have rough idea abt it. i`ll point src to some php page like: <img src="image.php"> & in tht php wat exactly shud be...
3
by: Nicolas Castagne | last post by:
Hi all, I have been wondering for a while why function hiding (in a derived class) exists in C++, e.g. why when writing class Base { void foo( int ) {} }; class Derived: public Base { void...
5
by: Nick Gilbert | last post by:
Hi, I'm using the asp:Wizard control and on some of the steps, I would only like the user to be able to progess to the next step by clicking an image button. Therefore I would like to be able to...
11
by: sofeng | last post by:
I'm not sure if "data hiding" is the correct term, but I'm trying to emulate this object-oriented technique. I know C++ probably provides much more than my example, but I'd just like some feedback...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.