0

I've been looking at this all morning and I'm getting to the point I cannot see the wood forthe trees so looking to the community for suggestion and clear thought.

I'm writing an application which will read data from a password protected Zip file supplied by a third party. This format will not change (so suggestions to do so cannot be entertained) and neither will the password.

As the password on this Zip will always be the same my problem is where and how to store this password which is secure? I don't want to store it as a string in the code for obvious reasons. And as I need the actual password then storing the Hash of it isn't a route (I don't think).

I might be over thinking this and there is a simple option but like I say I've lost my tress in the wood :)

EDIT: To give more background to the constraints of this issue:

  • The data I have to read is in the form of a encrypted zip files. The password for which is static (eg remains the same on all files)

  • Many files might come through in a single day and non-regular intervals

  • The user of the application does not know and not allowed to know the password of the zip file (typing in isn't an option)

  • The application has to run as a Windows Service and process these
    files automatically as they are provided and without any user
    intervention.

  • These files and the way they are delivered and formatted is by a 3rd party and I have no control to change these parameters

These are the contraints I've been given for the project and I need to provide a solution to it. I already know storing as a string in the code is WRONG. Repeating this as your reply is not an answer!

Thank you to the community for your help :)

Calid Xavier
  • 3
  • 3
  • Does this answer your question? [Store data securely in memory (password based encryption)](https://stackoverflow.com/questions/58092320/store-data-securely-in-memory-password-based-encryption) –  Jun 19 '20 at 07:27
  • The important part that is missing here is who or what you're trying to secure that password **from**. In other words, who or what have access to this computer but should not have access to the password? For instance, does the user of the application have access to the password? If they have, I would suggest they simply input it once and you use something like DPAPI to store it securely on their computer. – Lasse V. Karlsen Jun 19 '20 at 11:27
  • Thanks for your input. To answer your question as to "from" then the application isn't for the wider world (eg not something anyone can download and use). It's for use by a limited selection of our user base. Most users wouldn't even know or care or suspect if I did just casually store the password in code. But there are 1 or 2 users with an "interest" in software development and would take great pleasure in using basic knowledge to point out that they had read the password. – Calid Xavier Jun 22 '20 at 06:53

3 Answers3

1

Nowhere. THERE IS NO WAY TO STORE A PASSWORD IN A SAFE WAY AND STILL USE IT. And yes, this is all caps. You can try to mitigate the damage, but at the end if your app can decode whatevery you use to store the password, then so can a hacker.

CODE is a bad place - not for security, but because it is REALLY unchangeable. But otherwise - no way. Simple. People tried hiding things since computers where invented. Never worked.

TomTom
  • 61,059
  • 10
  • 88
  • 148
  • You might have missed the point where I said "I don't want to store it as a string in the code for obvious reasons". If you did, you might have saved all those caps for another day. – Calid Xavier Jun 22 '20 at 06:17
  • Even encrypted it as bad as it getsm unless it is a "stupid" password, in which case you can well store it clear text. – TomTom Jun 22 '20 at 06:26
  • Which is fair enough TomTom, I get this isn't the best practise. But I've been given contraints to stick to (updated the OP) and I know this isn't great, if I didn't know I'd have ploughed ahead whithout a single thought or asking. But I'm here, and I'm asking. I know what I want to do but I'm tied. If you had been given this as a project with these contraints, what would your solution be? Thanks for your help :) – Calid Xavier Jun 22 '20 at 06:47
  • Since the best you can manage is to obscure it, I would just do that. Build a method to encrypt / decrypt based on a key that's in your source code. Put the "encrypted" value in config. At least you'll have a method to update the config if you need to change it. While not leaking the key in a trivial way. – Jeremy Lakeman Jun 22 '20 at 07:11
0

I would suggest here one thing.

You can not store the password directly in your application.

You can always make it a combination of something like date of birth + first 4 characters of first name + some other information

Vivek Nuna
  • 25,472
  • 25
  • 109
  • 197
0

It's possible to encrypt sections in the configuration file. The tool only works with web.config files, so if you have another type of application simply rename the app.config to web.config before running the command and change back to app.config afterwards.

Using machine store essentially restricts access to administrators on the machine, and using user store restricts access to only the account that performed the encryption command.

To encrypt with machine store:

To encrypt:

aspnet_regiis.exe -pef "sectionName" "C:\Path\To\Application" -prov "DataProtectionConfigurationProvider"

To decrypt:

aspnet_regiis.exe -pdf "sectionName" "C:\Path\To\Application"

To encrypt with user store

Add this section to the config file:

<configProtectedData>
        <providers>
            <add useMachineProtection="false"
                 keyEntropy=""
                 name="CustomDataProtectionConfigurationProvider"
                 type="System.Configuration.DpapiProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
            />      
        </providers>
</configProtectedData>

To encrypt:

aspnet_regiis.exe -pef "sectionName" "C:\Path\To\Application" -prov "CustomDataProtectionConfigurationProvider"

To decrypt:

aspnet_regiis.exe -pef "sectionName" "C:\Path\To\Application" -prov "CustomDataProtectionConfigurationProvider"

Note for user store

Since only the user running the command can access/decrypt the data the application will need a dedicated service account, and to run commands as that user runas /profile /user:theusername cmd can be used to start a command prompt as another user

Nebour
  • 75
  • 1
  • 7
  • The problem with thisis that both approaches are useless if a hacker takes over the machine and can i.e. replace the code under of a website - he has access to the user store. – TomTom Jun 19 '20 at 12:39
  • @TomTom But then we're just back to the original answer, "you can't do it securely". At some poine one have to accept the risk of the method used. Since it's going to be used to decrypt encrypted archive files, if the hacker can take control of the machine, and you found a 100% secure way of storing the password, a simple breakpoint inside the unarchiving software and you're back to square one. – Lasse V. Karlsen Jun 22 '20 at 06:39
  • And if he can take control of the machine, all bets are off anyway. You lost at that point, no matter what you've done to secure things. – Lasse V. Karlsen Jun 22 '20 at 06:39
  • Acutally no. There are mechanisms where control of the machine does NOT allow one to steal the password - this is where a TPM comes in handy. Keys go in, it can decrypt, but keys NEVER come out. Requires TPM-aware software, though. – TomTom Jun 22 '20 at 07:30