How to securely store a password on a PC

  • Thread starter Thread starter Sebastian Daser
  • Start date Start date
S

Sebastian Daser

Hi All,

I would like to write an application consisting of two components: The first
one should be a GUI that allows a user to encrypt and store a file on a PC
(using a provided password or the users Windows password or a security
token), the second component should be a service (running on the same PC)
that is able to decrypt the file using the previously provided password, the
users password or security token).

My problem: How can I store the provided password securely on the PC (for
use by the service) in a way that other users (even administrators) are not
able to acquire it, even if they try to reverse engineer or disassemble the
application?

Is there a way for an application running on the user's account to acquire
the users password or some sort of a security token which cannot be acquired
by other users (even administrators)?

Which .NET framework assemblies may be used to accomplish the tasks?

Any help would be most appreciated!

Thanks and best regards
Sebastian Daser
Softfount IT Solutions
 
use integrated windows authenitcation. users with an account on the
machine, and with appropriate rights will be able to use the
application.
 
You simply CANNOT. The short reason is that an admin can always DEBUG your
service and can find the point when the password is retrieved / used within
the service's code. Same goes for trying to protect against anybody having
full physical access to the computer. Eventually - since ALL information
needed for run your service, and, hence, ALL information needed to get to the
password - an attacker could find the password and decrypt the data.

On the other hand, if you just want to protect it from other users, you can
simply use access control (ACLs) - either on the data file or on the password
file.

That doesn't mean you cannot make it harder to an attacker to find it. You
can use code obfuscation, password obfuscation, etc. But that just increases
the work factor and ultimately does NOT provide protection.

Laszlo Elteto
SafeNet, Inc.
 
Back
Top