I'm coding an AS3 AIR app that has an SQLite database. I'd like to encrypt the database so that the user can feel comfortable saving sensitive information in it ie if a hacker gains access to the user's database file remotely, they won't be able to load it into their own copy of the app to read the data. However, I don't want to make the user enter a password each time they use the app.
Is this possible, or is password authentication the only way please?
Encryption of database and access on platform are two different issues.
About access:
Your app can have a system to remeber, after you have installed, so you don't put anytime your password, because it know you.
About encryption:
You can encrypt your data with a secure algorithm, so you don't show in your table the real content but encrypted content. So when you show in your app the content, you must implement a decodifier of your data.
Related
I am developing an application (web\mobile). The user have to register the account using a form on the application (it contains some data as username and password).
These data have to be stored in a database table, these data travel on Internet so I think that it is not a good idea that the password is in clear.
I think that the client have to encrypt the password in some ways and that this crypted password have to be stored in the DB.
What could be a decent workflow for this task?
A common way to do this is to send the password as clear text via a HTTPS connection. HTTPS is a must when anything confidential is sent through internet, not only for passwords.
On the server, calculate a hash. There are many algorithms for this, some more secure than others. A hash function works only for one direction: the password cannot be derived from the hash. Store that hash to the database instead of the password. When a User logs in, calculate a hash from that password, and compare it to the hash stored to the database.
I am developing a desktop application. Multiple users shall be using it to insert, delete and select data from database. As users shall be using it so they would not have to login to database.
I know how to use JDBC (for Java Applications), I need suggestions that I don't want to hard code the credentials of database like host address, username, password ... etc. So if change of credential is needed I can change it without changing the code. Also, I cannot just put database credentials in a text file and read every time when the application need to interact with database.
You can create a ApplicationConstants file which will store the host address, username and password.
If you need to change it you'll have to change it only in one location.
But this will require you to compile the code everytime you make changes.
The alternative is to encrypt the values and store the encrypted values in a text file.
You can use the javax.crypto for encryption/decryption. You can find an example on the following link :
Simple java AES encrypt/decrypt example
I have a Two Factor Authentication system where I need to store the Auto generated Code and the requested time in some form storage for retrieving it later purpose. I need to know what is the best way to store these sensitive information.
I was planning to use Session to store those sensitive information. When I googled, In some places people are telling its not recommended to use session to store sensitive information. Can any body explain why so.
Any suggestion to this will be highly appreciated.
Thanks
In your user database is fine, it's a web app so the database should be completely hidden from end users (if properly managed).
The rest is just making sure your actual application is secure -- ie no SQL injections, no buffer overflows, proper workflows that all pass through your server side authentication engine etc.
If you are worried about your information they should be encrypted before store them in database, for more secure propose you can use HSM (Hardware security module) to do encryption and decryption for you or even you can rely on OTP (one-time password) for two factor authentication.
I am trying to make a web app that uses PlayFramework2 and Neo4j Graph Database.My web app going to include user system.Users can add their visited places as nodes and traverse.My question; is it okay for keeping passwords and other personal information in nodes for authentication or using table based another database is better for login to web app.If all work can be done using Neo4j, what should be the structure of the user system in graph database for security.I am newbie at these jobs so, sorry if it is a absurd question.
Of course you can use neo4j to store user information.
As on all databases, be careful with some data, don't store password without a hash/crypt method !
If your datas are sensible, you should well configure your neo4j instance to not allow remote connection, and why not implement some user role for connection.
See here : http://docs.neo4j.org/chunked/stable/security-server.html
You should either use one of the modern auth mechanisms like OAuth2 or at least strongly hash and salt the passwords with a long salt.
i'm developing a .net winforms desktop application intended to be run at several bank's branches as a backup application whenever the main one (a web application) is unavailable due to connection issues with the bank's central node. The branchs themselves don't count with any enterprise services besides a SQL-Server database. For that reason, the application should be able to connect directly to the SQL-Server. My problem arises when I have to provide the application with a password to connect to the database:
1) Storing the password in clear text in a app.config file or similar is not an option (the customer requires the password to be encrypted)
2) Storing the password encrypted in a configuration file leads to the need of having an encryption key locally available. The encryption key could be just hardcoded in the application's code, but it would be easily readable by using a .net-decompiler or similar.
3) Using a custom algorithm to encrypt/decrypt wouldn't work either due to the same reasons as 2).
4) Integrated security is not supported by the bank
Additionally, the customers requires that they should be able to change the password in one location (within a branch) without the need to go from one computer to another updating config files (that rules out the possibility of using the machine's key to encrypt the password in individual machine's config files like asp.net does)
Would you provide any other approach or suggestion to deal with this problem?
I would appreciate any help.
Thanks in advance,
Bernabé
I don't think that encyrpting the password by any means is going to solve your problem. If the user has to send the password to server, and the password is located on the box, then by definition the user running the application must have access to the password and be able to decrypt it. Otherwise, you wouldn't be able to authenticate them. This means that there will always be a way for the user to get at the password, regardless of where you store it.
I can think of 2 ways that could possibly work, but I'm afraid they're not exactly what you're looking for.
Remove the requirement of having the
user send the password to the server
by using some sort of local proxy
(for example using a WCF windows
service) to take your winform
requests and then send them on your
behalf to the DB server. If you
install the service using an account
different from the user's account,
then you can secure the password by
any of the means mentioned in the other
answers. They key here is to make
sure the application user does not
have access to the resources that
the service account needs to decrypt
the password.
Don't store the password in the web config. Assign each user a different user account and password at the database level and have them type it in when they log in.
You could use the protected configuration built into .Net. See Encrypting Configuration Information Using Protected Configuration in the MSDN docs. One of it's raison d'etres was to encrypt data such as connection strings in config files.
You could
To use DPAPI to store a encryption/decryption key securely: How To: Use DPAPI to Encrypt and Decrypt Data
To install a SQL Server Compact Edition (or another small database) into your workstations and to synchronize data when your web application comes online again.
To ask for help inside that institution, as other people could have solved that problem and could to help you.
Definitely agree with the above regarding DPAPI. Microsoft's Enterprise Library makes this an absolute breeze too, so I would consider looking there first.