0

I'm querying a domain controller by LDAP by means of the DirectoryEntry class, and I need to store the username and password for this query on the machine that's running the application. Storing these in strings is not feasible as that's a big security risk.

I've decided to use DPAPI, however I'm a bit new to the encryption/decryption of data in C#. When decrypted, this data will have to be temporarily stored in string variables and then used as arguments to the DirectoryEntry constructor, at least according to my understanding. Do correct me if I'm wrong.

Won't this username and password be vulnerable to attack once decrypted for use with the methods for making the LDAP query? Specifically the creation of a new DirectoryEntry object.

I could try to circumvent this by having the application request the user to input the username and password each time a query is to be made, however they'll still have to be stored in strings for use with the DirectoryEntry constructor.

How can I re-use a username and password in combination with the DirectoryEntry constructor without this data being vulnerable to attack and visible in memory?

Maritim
  • 2,111
  • 4
  • 29
  • 59
  • Look into the SecureString class. https://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx – Crowcoder Feb 04 '15 at 10:29
  • I'll still have to iterate the characters of the decrypted string to get them into a SecureString, are you saying that won't pose a risk? – Maritim Feb 04 '15 at 10:35
  • I think it is the best you can do. Unless you can use certificate authentication instead. Hopefully the machine running the app is well locked down. – Crowcoder Feb 04 '15 at 10:47

0 Answers0