|
microuser_2000 wrote: i wanna take the value of the indx after it has been inserted and to save it to use it in another statment ...
Excellent. So after following the advice I gave in my previous post what part are you stuck on now?
|
|
|
|
|
Hi,
I'm building an app in C#. I won't bore you with the details, but basically I have two security questions. Any help would be much appreciated!
1. I will be saving files on a external server. I would like to encrypt the files before sending them. Different 'users' will be using this app. What are the best practices regarding C# to encrypt files? Public/Private key encryption? Where would I store the keys...in the registry? I'm well versed with regards the cryptography in theory, but do not have much experience in practise. What API's....where? Etc, etc...Any ideas?..
2. The application be will be using a third-party service, which requires a username/password. I suppose this username and password will be kept on a database somewhere, and the app will retrieve it. What are normal practises for this kind of thing? Store it on a database on server, and have the application request it? Should it be plain-text or encrypted? If so, how so? Remember, the idea is that users of the app can use this service, but should never know the username/password.
There's just a huge amount around on encryption, etc - but no real 'this is the right right way' methods. Any help appreciated.
By the way, this is for a fictitious company, so don't worry - this won't be a security risk!
Regards,
Cormac Redmond
|
|
|
|
|
For encrypting files, well, if you're sending them to the server, are you doing this using .NET remoting? If so, there are some documented ways of encrypting .NET remoting streams. Alternately, you can use the System.Security.Cryptography.CryptoStream to encrypt the stream before streaming it to the server.
For #2, it's common to keep user names in plain text in the database. However, passwords do not need to be kept in plain text on the server. For this, you should simply encrypt hash the plain text using MD5 (again, look in System.Security.Cryptography) or some other hashing algorithm to hash the password, then save the hashed password to the database. When a user logs in, hash the password he typed, and compare it against the encrypted version in the database. If they match, the passwords match.
Last modified: 1hr 7mins after originally posted -- hash instead of encrypt, thank you dan
|
|
|
|
|
Judah Himango wrote: For #2, it's common to keep user names in plain text in the database. However, passwords do not need to be kept in plain text on the server. For this, you should simply encrypt the plain text using MD5 (again, look in System.Security.Cryptography) or another encryption algorithms to encrypt the password, then save the encrypted password to the database. When a user logs in, encrypt the password he typed, and compare it against the encrypted version in the database. If they match, the passwords match.
That should be hash the password with MD5. Don't want to confuse the OP any more than he already is. Also advances in cryptographic attacks have gotten to the point where 128bit hashes are becoming questionable for the longterm, if possible something longer should be used instead.
--
Rules of thumb should not be taken for the whole hand.
|
|
|
|
|
Yes, MD5 hash, rather.
Yes, a better option might be SHA.
|
|
|
|
|
By hash, you mean use the users username+password as a key for the encryption?
I was thinking that - seems like the logical choice.
|
|
|
|
|
No, actually what you do is hash your password. To use MD5 hashing, you could do it like this:
using System.Security.Cryptography;
using System.Text;
...
string password = "super secret password";
byte[] passwordBytes = UnicodeEncoding.UTF8.GetBytes(password);
MD5 md5 = MD5CryptoServiceProvider.Create();
byte[] hashedPassword = md5.ComputeHash(passwordBytes);
As you can see, this doesn't rely on any sort of key; in fact, you never need to store the user's real plain text password anywhere, just the MD5 (or other hashing algorithm) hash of that person's password. When the user goes to log in, hash his inputted password, and check it against the hashed passwords in the database. If they're equal, that means the user has specified a correct password.
This way is great for security -- even if someone got into your database or intercepted the password being sent to the server, it doesn't matter, because it's just the MD5 hash of the password, not the actual plain text password.
Make sense?
|
|
|
|
|
Ah, good. All making sense now.
Cheers,
Cormac
|
|
|
|
|
Thanks for the replies.
Using System.Security.Cryptography, etc - How would I go about decrypting the files on say, another machine? My real problem here is with keys; where to store them, how to keep them secure, etc.
Basically, I'm building a backup application, where there can be many users. It will use Amazons S3 service for storage. I want those files encrypted however before being sent to S3. The user should be able to access (download and decrypt) the files from any location. Hence we need a central server to:
1. Supply the app with the login/pass for S3, and
2. A list of what files on S3 belong to what users.
S3 isn't simply a file system, so it's not as easy as just storing files, hence the need for 2.
So I know about the namespaces to use, but not how to store keys, and access keys, etc etc.
Can you shed more light?
Regards,
Cormac Redmond
Cormac
|
|
|
|
|
Ok, the MD5 option (or any other hashing algorithm option) works only for scenarios where you never need to decrypt the object. For example, this is a good option for passwords. See my other reply to you for more info about this.
However, for decryption, you're probably going to need a key to encrypt and decrypt. For this, there are several articles on code project covering this. Basically, you'd need to look at some of the transform classes in System.Security.Cryptography, such as RijndaelManaged. MSDN has this sample[^] on how to use CryptoStream to encrypt and decrypt a file using a key.
As far as where to store the key, I have no idea really. I don't think there's any standard place to store the key. Maybe someone else can better answer the "where to store the key" question.
|
|
|
|
|
Ok, cheers for that!
I'll have a read of those articles!
Regards,
Cormac
|
|
|
|
|
Hi!
I have a “Windows Application” type Visual Studio .NET 2005 solution. This project has one Windows Form, and a User Control. The Windwos Form has an instance of this User Control.
The User Control has a LinkLabelsList property, of type System.Collections.Generic.List <linklabel>.
public System.Collections.Generic.List <linklabel> LinkLabelsList
{
get { return (mv_linkLabelsList); }
set { mv_linkLabelList = value; }
}
In the Properties Grid of the User Control instance on the Windows Form, a browse button with “periods” ([...]) is visible against the LinkLabelsList property.
On clicking this “periods” button, the “Collection Editor” window opens up. Any number of “LinkLabel” entries can be added here in this “Collection Editor”.
When I am done with adding LinkLabels in the “Collection Editor”, I click the OK button in the “Collection Editor” dialog box, and it returns to the Windows Form editor. However, all the LinkLabel entries added, DISAPPEAR and it again shows an empty space instead of something like “(Collection)”.
How do I solve this problem?? How do I PERSIST THE ADDED ENTRIES for the property for the User Control, when it returns from the “Collection Editor”?
Your helps would be greatly appreciated.
Thanks,
Dinesh M Jayadevan
Thanks,
Dinesh M Jayadevan
|
|
|
|
|
Is it possible to use C# to interface with Excel 2000, or is it necessary to have Excel 2003 or more recent?
-- modified at 15:56 Wednesday 27th December, 2006
It looks as though Office 2003 includes the Primary Interop Assemblies, whereas Office XP does not. I can only assume that Office 2000 is lacking the interop assemblies as well and that there is no backwards compatability. Does anyone know if there are PIA's for Office 2000? Because when trying to compile my app it's stopping on:
using Excel = Microsoft.office.Interop.Excel;
using System.Reflection;
and telling me that
Error 1 The type or namespace name 'office' does not exist in the namespace 'Microsoft' <BR> (are you missing an assembly reference?)
Error 2 Namespace '<global namespace>' contains a definition conflicting with alias 'Excel'
Are the PIAs my problem? Can anyone confirm this and/or suggest a solution, or am I indeed S.O.L.?
"Oh, I must've did somebody some good. I think I did. So I gave her the gun and I shot her!" - Led Zeppelin - In My Time of Dying
|
|
|
|
|
The Apocalyptic Teacup wrote: It looks as though Office 2003 includes the Primary Interop Assemblies, whereas Office XP does not
A quick google search reveals you can download[^] the Office XP PIAs from Microsoft.
|
|
|
|
|
Judah Himango wrote: A quick google search reveals you can download[^] the Office XP PIAs from Microsoft.
Hi Judah,
thanks for the reply. I saw that, but I am actually using Excel 2000. I was just noting that they were missing for Office XP and so I presume they are lacking for Excel 2000 as well.
I can't confirm this, however...
"Oh, I must've did somebody some good. I think I did. So I gave her the gun and I shot her!" - Led Zeppelin - In My Time of Dying
|
|
|
|
|
Sorry for the second reply, but I thought I'd post this here in case anyone else was encountering the same problem. It seems I've gotten around the PIA problem using late binding rather than early binding. This way I get to avoid using the interop assemblies, so that previously:
using System.Reflection;
using Excel = Microsoft.Office.Interop.Excel
becomes
using System.Reflection;
Then I can instantiate Excel through, say, a button_click() event. Basically all I've done at the moment is to fill some Excel cells, but that is almost all I need. I can fill the cells and then call the charting routines from Excel itself using a macro!
"Oh, I must've did somebody some good. I think I did. So I gave her the gun and I shot her!" - Led Zeppelin - In My Time of Dying
|
|
|
|
|
I'm looking for help on how to install a screen saver created from the VS 2005 Screen Saver kit, more specifically, install the screen saver programmatically and also install the .net 2.0 framework as well.
I've created a screen saver for my relatives back home using the screen saver kit included with VS2005, my relatives are not pc literate, anyways, I need to have this install programmatically when they click an .exe plus also checking that they have the .net 2.0 framework installed, if it isn't then it should install the framework too ...
Any help would be great, I've looked in the articles and I didn't find anything so I thought I'd post here.
Code, links to code, links to articles would also be fine ... I'm a student still learning if that helps you to help me.
Thanks,
Xaverian
|
|
|
|
|
You can use Process.Start() method to invoke the installer from your code. Most installers support the "quiet mode" usually by adding a "/q" or a "-q" parameter. This way the installer don't display a user interface and installs itself -as mentioned- quietly.
Regards
|
|
|
|
|
Thanks -
But I don't understand what you just said ...
|
|
|
|
|
Well, to install anything you program got two choices:
1- Make a deployment project -from the new projects window-, there you can specify what to install from your screensaver project, and to check/install DotNet framework.
2- Write the code to copy your files yourself. If you choose this hard way -that's what I thought of when you said programatically-, you need to call the DotNet installer. Something like this:
Process.Start("Setup.exe", "/q");
This way the DotNet framework setup will try to install itself without showing any screens. Of course if you want to copy your exe file to the hard desk you can simply use
File.Copy("MyOldPath.exe", "MyNewPath.exe", true);
Sure the second way is much harder, but some people got reasons to use it. If you just want to install your project and the DotNet framework -if needed-, follow these steps:
1- File => New => Project
2- Other Project types => Setup and Deployment => Setup Project
3- Right click on the setup project's name => Properties
4- Prerequisite button => Check ".Net Framework 2.0" and "Microsoft installer 3.1" from the list and check on "Download prerequisites from the same location as my application" radiobutton.
5- Right click on the setup project's name again => Add => Project output => Choose your screensaver project and click OK.
I hope it was clear this time.
Regards
|
|
|
|
|
I followed your instructions all the way to #5 ...
[QUOTE]Right click on the setup project's name again => Add => Project output => Choose your screensaver project and click OK[/QUOTE], when I get to this point, there are two empty dropdown boxes with no way to navigate to my project so I can add it as project output.
I was also trying to use the "ClickOnce" deployment method as I have space on a server here at school to use, thought that might be easy for them to use to install and run the app, however when trying to use that method the "ClickOnce" won't grab the .scr and install it as a screen saver only in the Start > Programs > etc. etc. and you have to manually click on it to run. Doh!
Any method is fine to use as long as I make it simple for them ... another question that pops up then, if using the method you described with making a new "Setup Project", when this installs, will it install it directly as a screen saver? and how would it do that, or do I have to provide more code somewhere to make it perform that action?
I hope this was all clear ...
Xaverain
|
|
|
|
|
The last step didn't work because you crated the new project in a new solution . In the new project dialog you should have chosen "Add to solution" in the ComboBox to the bottom of the dialog box.
About installing your Screensaver, follow these steps in your new setup project -in a new solution like you did-:
1- Open "My Computer" => Go to your Screensaver's output folder => Copy the exe to your new setup project's folder and rename it to "MyFile.scr" instead of "MyFile.exe"
2- Back to Visual Studio => Right click on the setup project's name => View => File system
3- Right click on "File system on target machine" => Special Folder => Windows folder.
4- Right click on the new folder => Add => File => Browse to your scr file.
5- Do the prerequisite as mentioned before.
This should do it, but you got to read more about setup and deployment. I always suggest searching the articles. I hope it works for you this time.
Regards
|
|
|
|
|
If I use the "Download prerequisites from the same location as my application" and place everything on a CD for them, where do I place the prerequisites or how do I include them with the setup project?
|
|
|
|
|
First: Did you follow the second set of instrucstions successfully?
Second: The entire output of your setup project is placed in a folder named debug or release -accodring to your configuration-. In that folder you should see subfolders containing each of your prerequisites. Just copy all the contents of the debug/release folder to your CD, and on the user's machine tell them to click on the Setup.exe file.
PS.
Of course you should test it on your machine first, Don't you think? Also don't forget to uninstall the screensaver from your machine after the test.
Regards
|
|
|
|
|
I did follow the instructions, and I found everything in the DeBug folder as you suggested ... that is slick!
I tested it and uninstalled it ... that worked too, BUT ...
How do I make the screen saver being installed the default screen saver without making my relatives right click on the desktop, select properties, then screen saver, etc ...
Isn't there a way to do that for them?
On a side note, I am going to do some additional reading on creating "Setup Projects" after all this. Do you know of any good books, with examples?
Perhaps an article on deploying the Screen Saver kit should be written for CodeProject, for both the CD option and using the ClickOnce stuff too.
Anyways, thanks for the help thusfar, I appreciate it, just one more step to go! I await your answer
|
|
|
|
|