Hi i have Outlook plugin that send request to my WCF Service. I faced with some issues regarding public folders. So the one way to resolve it to save user Account and Password inside plugin configuration (saved in system registry key). What is the safe way to save it and send it to server?
You can use CryptProtectData and store the data in file or registry. The data can be decrypted using CryptUnprotectData. The data is encrypted in such a way that only the user with the same credentials can decrypt the data, i.e. it cannot be decrypted from another computer or when running in a secury context of a diffent Windows user.
Microsoft itself uses these functions to store credentials for the POP3/IMAP4/SMTP accounts in Outlook.
Related
Is there a way to securely store and retrieve an API key in windows?
For instance, is there a windows service/api that can be used by a (c#) desktop app to store and retrieve a key?
If the key has to be placed on a client machine, it can be read out. Which language you use or what kind of storage doesn't matter. At the end you'll have to send that API key to your server to authenticate yourself and at this point someone can use a proxy like Fiddler to inspect the data and record that API key.
To accomplish this issue you need a (web) interface for your customers, where they can log-in and manage their API keys, so they can request new or revoke old keys. Also your desktop tool needs in that case some input mask, where the user can enter that key (and you store it in registry or file system).
By using this approach each customer can use its own key and if it is compromised you (or the customer) have only to revoke this single key without affecting the other customers.
Sorry to answer my own question, but it appears Windows Credential Manager and the underlying Data Protection API is designed for this very purpose. It's the same vault used by Windows to store it's various passwords.
And it has a nice c# API.. https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection
Answered more fully here.. PasswordVault security when used from Desktop app
I'm working on a android application that writes, in some parts, in a FileZilla server. In my code, I provide the login and password for the FileZilla so that the client could send some pictures and videos to it.
The client later on needs to read the FTP content (Display it), but for that purpose, he needs to enter the login and password, which I can't provide him otherwise he could write whatever he wants in my server.
Is there any way to require a login and password for writing in the FTP server, but not in the reading ??
You can setup two accounts on the server. One with read-only access, and one with write access. Provide the client with password to read-only account. Or you can allow even anonymous read-only access to the server.
EDIT: Also, be aware that it would not be a problem for a hacker to retrieve the hard-coded password from your Android application binary. Make sure you restrict the area, where the account can write to, ideally to a single folder only. You should also set disk quota for the account, so that the hacker cannot fill your server's disk. And you should definitelly monitor the writable folder for an unusual activity.
I work as a student web developer for my computer science department and I've been asked to look into a modification of our password reset procedure for linux accounts. Currently users will log in with their university credentials (via Active Directory) and after being authenticated they get a temporary password through email which they are forced to change as soon as they log in. This way eben if the temporary password it intercepted there is a very short time span in which it could even be used.
Now the idea has been posed that instead of using a temporary password that we might allow the user to pick a new permanent password and set it directly through the web utility. It is my understanding that https is more of "the best we have" than "a great way to secure information". Are there any other avenues I can explore for securing the new password so that we can feel comfortable implementing such a system?
Basically, if you communicate with a server over HTTPS and the private key of the server isn't exposed to someone else, you can be sure that anything you transfer (e.g. the new password) can only be decrypted by the server. Additionally the server certificate assures, that the server you are communicating with, really is the server you want to communicate with.
So, using HTTPS provides authentication and prevents eavesdropping.
If you are working with Active Directory, it is my understanding that the Password Modify Extended Operation (which requires the existing password) is not supported. Therefore, the password must be changed with the LDAP modify request. One solution would be to use the UnboundID LDAP SDK with a web application to execute the LDAP modify with the new password. The modify request should be transmitted over a secure connection, or a non-secure connection promoted to a secure connection using the StartTLS extended operation.
see also
AD password change
Using ldapmodify - this article is about the command line utility ldapmodify but the concepts are useful.
I am developing an app (in windows phone 7) that manages basic data: customer data (or contacts) and orders
I want to protect the credentials to access to the database. I want to do the following:
xxx.dll
I have put the credentials in the dll (obfuscated)
zzz.dll
In other DLL (obfuscated too) I do this:
when you install the application: I read the credentials in xxx.dll and stored them in an encrypted file (using DPAPI)
In this DLL (zzz.dll) I have a function to return decrypted credentials (using DPAPI). This func is called in the app
Every free app in the marketplace can be downloaded (eg http://mktwp7.codeplex.com/) and reverse engineered (eg http://www.ilspy.net/). If you want to store your credentials somewhere in the code, it cannot be secure (if someone invests enough time). You will always have only security through obscurity (see http://en.wikipedia.org/wiki/Security_through_obscurity). I recommend using a proxy (web) service without credentials in your app. This service stores the credentials and connects to your database. This way the credentials are secure.
I want to encrypt passwords using the DPAPI like this
ProtectedData.Protect(plain, optionalEntropy, DataProtectionScope.CurrentUser);
and wonder if the domain administrator could decrypt the generated blob, as
Using Passwords Effectively states:
However, in a domain environment a
domain administrator can safely change
your password, and you'll still have
access to your encrypted files.
It seems like the domain administrator would have to decrypt the data (or rather, the encrypted master keys) first, in order to be able to re-encrypt it using a different password.
The answer is yes, provided he also has acces to the entropy key(if one is created), or if he is willing and capable enough to hack into the blobs (see links below).
For the Master key in DPAPI (in CurrentUser mode), the windows login username and password are used to generate the master key.
If the administrator updates the user's domain password, DPAPI wil reencode the master key for that user. The same goes if the user updates his password due to eg. a monthly password change policy.
However, if he doesn't have access to the optional entropy key or the data that composes that key, the file will remain encrypted and all he will get is invalid data.
If DPAPI is used in CurrentMachine mode, the file can only be decrypted on the computer that encrypted it, however the file will be readable to all accounts on that computer, again provided they can also muster the content of the entropy key.
A good repository for information is DPAPI Secrets and this paper on reverse-enginerring DPAPI + link to a tool that can recover data from DPAPI blobs
Short answer : he probably can't right out of the box, but Domain Admin is powerfull. There are many ways they can get to your key if they really want it.
Long answer : DPAPI encrypts your data with a key. IIRC, it uses AES with a key that changes every 90 days. The key is stored on your computer, encrypted with your password. That's the default and it saves your key out of reach of anyone but you.
Unless your domain admin remotely installs a key logger, steals your password, impersonnate you and steal your key (or go straight to the data which he now sees in plain text).
Another somewhat less known fact is that when Credential Roaming is enabled on Active Directory, it will send your encrypted keys to a server. A domain admin could use that copy for an offline attack. But it is hard and unless your data is very valuable, I woulnd't worry about it.
The answer is yes. PoC utility with description: Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012
Works in Win Server 2016/2019 as well.