Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

C# Two way encryption of username and password combinations

  • 24-09-2012 10:35pm
    #1
    Registered Users, Registered Users 2 Posts: 7,501 ✭✭✭


    Im creating an sftp server using We Only Do components We Only Do

    I need to store the usernames and passwords locally in order to compare them to authenticate.

    Unfortunately the we only do components only returns the username and password in plain text so storing only a hash of the passwords is not an option.

    There seems to be an abundance of two way encryption methods available online but there doesn't seem to be any recent discussions on which is currently the most secure.
    Will the .Net encryption be enough http://support.microsoft.com/kb/307010

    I am currently using my own encryption method for development purposes but i wouldn't like to put that to the test!

    Anyone have any experience implementing two way encryption and can you suggest anything?


Comments

  • Registered Users, Registered Users 2 Posts: 11,989 ✭✭✭✭Giblet


    I've worked with both BCrypt and AES256, both are known and tested. You need to think how you are going to store the encryption key & salt/IV. The key needs to be kept safe, shouldn't be stored along with the salt or the password. The salt/IV can be stored in plaintext as another field (No encryption method worth it's salt..hah...should expose the cipher just through a plaintext salt/iv), or as part of the password (first/last/2N bytes) and then read when you need to decrypt. I'd recommend AES256 as while BCrypt seems secure, it isn't as tested and you might have dodgy implementations in .NET (There was some issue with BCrypt.NET If I recall correctly.) All passwords should be stored as bytes (varbinary) and you should use a consistent encoding for the database and application.

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.aes.aspx
    http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx


  • Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    I might be misunderstanding what you are doing, but can you not store the details hashed, then when you get a plain text username/password from We Only Do, hash it and compare to your stored values?


  • Registered Users, Registered Users 2 Posts: 7,501 ✭✭✭BrokenArrows


    stevenmu wrote: »
    I might be misunderstanding what you are doing, but can you not store the details hashed, then when you get a plain text username/password from We Only Do, hash it and compare to your stored values?

    You are correct and I am an idiot. Lol.

    I was getting myself confused because I was also encrypting the username and needed to decrypt it to show in the configuration tool but there is no need to encrypt the username.


  • Registered Users, Registered Users 2 Posts: 11,989 ✭✭✭✭Giblet


    Problem solved so :)


  • Registered Users, Registered Users 2 Posts: 7,501 ✭✭✭BrokenArrows


    I'm almost ready to release a beta version of the Sftp server.
    If anyone is interested in it email me on windsftp@gmail.com


  • Advertisement
Advertisement