Usage Value cloaking

  • Thread starter Thread starter Michael Jackson
  • Start date Start date
M

Michael Jackson

We are developing an app in .NET 2003 1.1. Our clients pay according the the
number of items processed. We need to store a usage counter in the App or
SQLServer, but do not want the end user to be able to change this value (and
preferably not view it in raw form, only thru our "usage view" class/form).
This usage counter needs to be encrypted or cloaked, remembering that it is
constantly updated during processing.

Any ideas?
 
Michael Jackson said:
We are developing an app in .NET 2003 1.1. Our clients pay according the
the number of items processed. We need to store a usage counter in the App
or SQLServer, but do not want the end user to be able to change this value
(and preferably not view it in raw form, only thru our "usage view"
class/form). This usage counter needs to be encrypted or cloaked,
remembering that it is constantly updated during processing.

Any ideas?
Click to expand...

It depends on how likely it is that they'll find it and change it. If
they're not technically competent then putting it in a system table with an
obfuscated name (e.g. SysRowVal) should do. If you need a little more
security, then put it into a table that only your program has permissions to
access.

If that's still not enough, store it encrypted using DPAPI or CryptoAPI.
Even more secure, store it encrypted, and store a hash value of it somewhere
else. But they'd probably have to be pretty damn technical to require that.
If you need any more hardcore, I suggest you look for products that will
assist. Also, have a look at Keith Browns blog
http://www.pluralsight.com/blogs/keith/default.aspx, and his eBook
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.HomePage.

Needless to say, the more secure it is, the more it's going to impact your
performance, especially if you're changing the value every time a row is
inserted.
 
Not sure what you mean, but wouldn't your app have some sort of transaction
table? If so, just count the records. But make sure that deleting transaction
records would not be something they'd want to do (like removing spark plugs
from your car's engine isn't something you want to do).
 
Back
Top