1

I am using the following code in c# to download a file from my website:

WebClient webClient = new WebClient();
webClient.Credentials = new System.Net.NetworkCredential("username", "password");
webClient.DownloadFile("http://example.com/file.txt", "file.txt");

The file is only downloaded when certain criteria are met, so I don't want the users to be able to access the files on my site

My corcern is that if a curios users decompiles the code, he will find the password and be able to access all the files on my site.

I've read that a secure way to save the password is to store its hash, but I don't know how to implement it in this example.

What options do I have to keep my password secure and make it impossible for a user to find it?

Kritz
  • 7,099
  • 12
  • 43
  • 73
  • do a Web search on How to Encrypt / Decrypt Password with Salt Value there are tons of examples online.. – MethodMan Aug 27 '12 at 17:10
  • 4
    A hash will not help you in this case: you can't get from that hash to the clear-text version you need. – Hans Kesting Aug 27 '12 at 17:10
  • You should create credentials that ONLY provide access to the quasi-public resource and therefore don't need to be secured. One less thing to worry about. Or just don't secure it in the first place. – Jamie Treworgy Aug 27 '12 at 17:11
  • 2
    @DJKRAZE and then put the salt and the decryption code in something you hand to the user? – Jon Hanna Aug 27 '12 at 17:17

4 Answers4

5

A sobering reality: You can't protect information contained in your program like this.

A must-do: Choose a username/password that is only for accessing the special files this single program needs - not your "access my whole website" username and password.

But just know that all you are doing is adding a little bit of an obstacle, here; anyone who wants to can examine your program and find the username and password.

The only 'correct' way to do this is to do it based on the user's own credentials; their username and password within your own system, for example. Then you would need to give them access based on that information, and your program would need to prompt them for it.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
2

You simply don't. Users give you passwords to do stuff, not the other way around.

If the user has to prove "certain conditions", then pass proof of those certain conditions to the server, and let it decide whether to allow the download or not.

Jon Hanna
  • 110,372
  • 10
  • 146
  • 251
  • +1 for letting the service decide. That's the only secure way. – Anders Abel Aug 27 '12 at 17:17
  • So if a use a php server, I can post data from the program to the server and if it meets certain requirements, the server can respond with the file? My server programming skills are a bit limited, where would I start with something like that? – Kritz Aug 27 '12 at 17:22
  • New SO question. "I need to check for conditions X, Y, Z in a client and use it to authorise something on a server. I'm using PHP on the server and C# on the client". The answer will depend on what X, Y and Z are. – Jon Hanna Aug 27 '12 at 17:28
1

There is no way to prevent that. If you program is able to access the file under condition X, the user is able to trick the program into condition X and get the file no matter what. You can make it harder, but you can't make it impossible.

Todd Li
  • 3,209
  • 21
  • 19
0

If the data are in the program itself you can considered them as already being exposed to users. If the credentials are on the users computer regardless on how many measures you take to combat this there is always a possibility to find a way around it.

What you can do is implement a login form for your program and provide the users with login info. Then when the user enters the login info do a check on the server side if the credentials exist (usually by checking in a database) and if it matches send them the file.

But as always, there is the issue with users just sharing the login info with other people and so on.

denied66
  • 644
  • 7
  • 18