What is the best way to store the keys of encrypted text

Question

0.00/5 (No votes)

See more:

Hello folks,
I have the following question:
In my ASP.NET MVC application I want to store some key/value settings in my database.
Some of this key/value settings contain passwords, that I want to encrypt to secure them.

I can´t hash the passwords because I need some passwords to autheticate on a remote SMTP server.

On MSDN I found an article about securing configuration settings with "Protected Configuration Providers", but I don´t want to store that settings in my web.config file.

I considered to use the DpapiProtectedConfigurationProvider that uses some machine and user specific properties as encryption keys, but this provider is built to work only with XML configuration nodes.

So, what is the best method to store passwords in an C# application?

greetings

Posted 7-May-14 5:19am

Nico Haslberger

Add a Solution

2 solutions

Solution 2

_-_nox_-_ wrote:
I need the decrypted password to authenticate on the remote SMTP server

No, you don't.
Create single user to allow access to SMTP server via your application. Provide authentication to your application and use default user to operate on SMTP server. Log user activity.

That's all!

As Sergey mentioned, do not store encrypted/decrypted passwords in your application to log in into SMTP server.

Posted 7-May-14 6:25am

Maciej Los

Comments

Sergey Alexandrovich Kryukov 7-May-14 12:28pm

Agree, a 5.
—SA

Maciej Los 7-May-14 12:29pm

Thank you, Sergey ;)

Nico Haslberger 7-May-14 15:47pm

Ok, but what is the best way to store the credentials of my SMTP server?

Maciej Los 7-May-14 16:03pm

Search for "Resources" ;)

Nico Haslberger 7-May-14 16:22pm

Thank you, but I don´t want to use several configuration files. There must be a possibility to store the password the encryption key in a safe way...

Maciej Los 7-May-14 16:29pm

What? You won't listening... It's sad...

Nico Haslberger 7-May-14 16:35pm

Sorry but you are not understanding the problem: HOW SHOULD I LOGON MY SMTP SERVER WITH A HASH?! I can´t decrypt the hash back to the password and the end user should not know the password of the SMTP server and storing the password in clear in the compiled code is the worst thing you can do... I can´t allow the user of my system the access to the smtp because the user and the smtp server are not in an active directory!<br>
SO WHAT SHOULD I ELSE DO?!

Maciej Los 7-May-14 17:00pm

Sorry, but we misunderstood. You can use Resources to store application settings and the address of SMTP server. Password and user name you can store - for example - in Windows Registry. Please see: https://workspaces.codeproject.com/originalgriff/where-should-i-store-my-data-[^]

Nico Haslberger 8-May-14 4:25am

Is it really secure to store such credenials in the Windows registry?

Maciej Los 8-May-14 4:31am

Yes, but in case when the following conditions are filled:<br>
1. data are encrypted/decrypted<br>
2. folder or registry path where you store it is not related with the name of application (GUID is used instead application name).<br>
Encrypting and Decrypting Data[^]
Credential locker sample[^]

Maciej Los 8-May-14 5:09am

Other useful information: Handling Passwords[^]

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2014-05-07T05:32:00

Solution 1

You should not store any passwords, even encrypted, this is not absolutely not needed for authentication.

Feel disagree? Surprised? Then keep reading. Please see my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^].

Are you getting the idea? You need to store cryptographic hash function of passwords, and always compare hash with hash. Then no one will be able to learn the original passwords, no matter how much access this person may have.

—SA

Posted 7-May-14 5:32am

Sergey Alexandrovich Kryukov

Comments

Maciej Los 7-May-14 11:34am

Sure, a 5!

Nico Haslberger 7-May-14 11:44am

Thank you for your reply, but I need the decrypted password to authenticate on the remote SMTP server, as I wrote in my question.
The end user in our system has no IT knowledge and should not have to enter or keep a password of an smtp server.
greetings

Maciej Los 7-May-14 12:25pm

Wrong! Please, see my answer.

Sergey Alexandrovich Kryukov 7-May-14 12:27pm

No, you don't need it. And this was not just reply, but an answer. :-)
—SA

Sergey Alexandrovich Kryukov 7-May-14 12:27pm

Thank you, Maciej.
—SA