You simply CANNOT. The short reason is that an admin can always DEBUG your
service and can find the point when the password is retrieved / used within
the service's code. Same goes for trying to protect against anybody having
full physical access to the computer. Eventually - since ALL information
needed for run your service, and, hence, ALL information needed to get to the
password - an attacker could find the password and decrypt the data.
On the other hand, if you just want to protect it from other users, you can
simply use access control (ACLs) - either on the data file or on the password
file.
That doesn't mean you cannot make it harder to an attacker to find it. You
can use code obfuscation, password obfuscation, etc. But that just increases
the work factor and ultimately does NOT provide protection.
Laszlo Elteto
SafeNet, Inc.
"Sebastian Daser" wrote:
> Hi All,
>
> I would like to write an application consisting of two components: The first
> one should be a GUI that allows a user to encrypt and store a file on a PC
> (using a provided password or the users Windows password or a security
> token), the second component should be a service (running on the same PC)
> that is able to decrypt the file using the previously provided password, the
> users password or security token).
>
> My problem: How can I store the provided password securely on the PC (for
> use by the service) in a way that other users (even administrators) are not
> able to acquire it, even if they try to reverse engineer or disassemble the
> application?
>
> Is there a way for an application running on the user's account to acquire
> the users password or some sort of a security token which cannot be acquired
> by other users (even administrators)?
>
> Which .NET framework assemblies may be used to accomplish the tasks?
>
> Any help would be most appreciated!
>
> Thanks and best regards
> Sebastian Daser
> Softfount IT Solutions
|
Similar Threads
