Small app, best data store

yenoah

Consider a small c# webforms app that allows users to store credentials such as software serials, website logins etc. It references a small local database to store these items. This needs to be secure and protected by a username/password etc.

What way would you go wrt a data store?
Currently the app uses an MS Access database file. Is this ok? does this require the user to have Access installed on their pc? or will the .Net framework allow the store to work without?

Can you think of a better way?

Many thanks

Seth Brundle

I would use a SQL server DB rather than MS Access with some form of encryption.

If it is a web app, why do you think MS Access (or any other DB) is required on their pc? Will it be run locally (in its entirety) and how?

As for the .net framework - it is a framework and won't store anything. However, as the coder, you can choose whether to store it in a DB, XML file, text file, etc.

I've a feeling that you need to go back to the book first before attempting a secure app.

ocallagh

SQLite is prob your best bet for a small app.

Any larger and SQL Server Express might be better- It can be installed on the client's computer easily enough. Takes up a few resources though.

As far as I know the drivers will be packaged no prob (not sure about access).

ocallagh

http://stackoverflow.com/questions/1259561/encrypt-sqlite-database-in-c-sharp

yenoah

I think some might be missing teh point of my question.

Application is a very small windows forms app. No web whatsoever. I am just asking what is the best container to use for storing a small amount of encrypted data?

If I include a sql express or sql lite .mdf file in the developement environment, will the client then need sql server (whatever flavour) installed in order to run the app?

I dont think a txt or xml file would be very secure.

amen

I dont think a txt or xml file would be very secure

just a secure as the database.

No matter where you store the data you first need to encrypt the data using a strong encryption algorithm with a strong encryption key.

If the app is to be used on multiple pcs/companies that make life more interesting because now each installation needs a unique key.

Seth Brundle

yenoah wrote: »

I think some might be missing teh point of my question.

Application is a very small windows forms app. No web whatsoever. I am just asking what is the best container to use for storing a small amount of encrypted data?

I read what you posted:

yenoah wrote: »

Consider a small c# webforms app ...

yenoah wrote: »

If I include a sql express or sql lite .mdf file in the developement environment, will the client then need sql server (whatever flavour) installed in order to run the app?

I dont think a txt or xml file would be very secure.

You could use SQL Server compact or as others have said SQL Lite.

Colonel Panic

yenoah wrote: »

I think some might be missing teh point of my question.

Application is a very small windows forms app. No web whatsoever. I am just asking what is the best container to use for storing a small amount of encrypted data?

If I include a sql express or sql lite .mdf file in the developement environment, will the client then need sql server (whatever flavour) installed in order to run the app?

I dont think a txt or xml file would be very secure.

You wrote webforms in the original post.

If you use Sqlite, the entire database engine would be embedded in the app. The same is true if you want to ship it with SQL Server Compact and an MDF file. Both of these files are just as insecure as text or XML. Security through obscurity isn't security at all!

EDIT: Heh, posted at the exact same time as Kbannon did!

Seth Brundle

Colonel Panic wrote: »

EDIT: Heh, posted at the exact same time as Kbannon did!

Great minds think alike!

yenoah

apologies for my OP. I meant winforms, not webforms.

Yeah, not too worried about encryption, this is reasonably trivial for any store chosen. I was just wondering about an appropriate store architecture.

Since starting this thread I have had a look at SqlLite. I have it running 4.0 and it looks nice. I'll either go with this or my old friend the ce version of Sql Server.

Many thanks for all the replies.

Seth Brundle

yenoah wrote: »

Yeah, not too worried about encryption, this is reasonably trivial for any store chosen. I was just wondering about an appropriate store architecture.

Fair enought - again your OP suggested otherwise:

yenoah wrote: »

Consider a small c# webforms app that allows users to store credentials such as software serials, website logins etc. It references a small local database to store these items. This needs to be secure and protected by a username/password etc.

yenoah

kbannon wrote: »

Fair enought - again your OP suggested otherwise:

yenoah wrote: »

Consider a small c# webforms app that allows users to store credentials such as software serials, website logins etc. It references a small local database to store these items. This needs to be secure and protected by a username/password etc.

What way would you go wrt a data store?

Currently the app uses an MS Access database file. Is this ok? does this require the user to have Access installed on their pc? or will the .Net framework allow the store to work without?

Can you think of a better way?

Many thanks

.................

Colonel Panic

No need for that, your original post isn't the most bulletproof of specs and you're accusing people of not answering you correctly! We're just trying to help!

yenoah

Colonel Panic wrote: »

No need for that, your original post isn't the most bulletproof of specs and you're accusing people of not answering you correctly! We're just trying to help!

No need for what? I was just replying to kbannon pointing out my original question.

amen

If its a small app I don't understand why are you adding the complexity of using a database. If a user will just be adding keys,pasword a simple encrypted file might be easier.

Seth Brundle

OK
MS Access would require a version of Access installed. A runtime would work but may not be feasible for the project rollout.

Secondly, you mentioned in your OP about how the system needs to be secure. Does it or not? Does the underlying data (e.g. website logins) need to be protected from anyone with access to the PC?
Out of curiosity, why is encryption not something you are actively considering?

If you want us to recommend an "architecture" for you, then we need to know the details.

yenoah wrote: »

.................

Your point?
You asked about securing the system and you don't like the feedback provided/questions being asked in order to help you. Don't ask then!
:rolleyes:

yenoah wrote: »

No need for what? I was just replying to kbannon pointing out my original question.

I was highlighting how your requirements have been poorly laid out but despite our attempts, you seem to contradict yourself/change your mind.

Jim2007

A couple of points:
- A full installation of .Net includes the required engine and drivers for working with Access, so no additional requirement.
- Unless you are going pure C/C++, SQLite will require a extra DLL and related .Net driver

Given the choice I would work with SQL Server CE, the other two would also work, but SQL Server Express is over kill.

yenoah

Jim2007 wrote: »

A couple of points:
- A full installation of .Net includes the required engine and drivers for working with Access, so no additional requirement.
- Unless you are going pure C/C++, SQLite will require a extra DLL and related .Net driver

Given the choice I would work with SQL Server CE, the other two would also work, but SQL Server Express is over kill.

Thanks Jim,

I have tried SqlLite and then messed around with Sql Server Ce. I think I will go for Sql Server Ce. Some of the issues I came across with the various small data stores are as follows..

MS Access
=======
You can buld and use an Access db file using ADOX. However it's buggy. For example, when you create the accdb file using the ADOC.Catalog object, you have to release the object immediately using interop or it explodes. Ugly!

SqlLite
=====
There are several wrappers. Some are not maintained anymore so it's hard to know where to invest. There is one called System.Data.SqlLite which struggles with the .Net Framework v4.0. It's a dual assembly wrapper and for some reason, 4.0 doesn't like it. You need to use an app.config file to get it to work, or you can revert back to 3.5 or lower. Again ugly!

Sql Server Ce
==========
This is for me the best of all worlds. Its trivial to encrypt or password protect or both. Password protecting alone is useless really though, if anyone opens the file in text format. Passwording and Encryption can be achieved simply in the connection string when creating the database file.

"data source=\secure.sdf;password=password;encrypt database=TRUE"

You can evem implememnt a LINQ to Sql classes ORM but alas you must use the VS command prompt and SqlMetal.exe to do this, as for some strange reason, dragging tables from a sdf file in the designer throws up an error.

Anyheeeeww
There's a quick summary of the knowledge gained in the past 12 hours should it be of any interest to anyone else. If anyone wants me to elaboate on any point, let me know.

Jim2007

Yes, I've used System.Data.SQLite a few times with .Net 4.0, but apart from the config changes I had no problems.

As I said, SQL Server Ce would be my choice too, as it is feature rich and easy to deploy.

I use XPO from DevExpress for all my data lavers.

Procasinator

This blog covers some of the basic encryption ideas:
http://blogs.msdn.com/b/stevelasker/archive/2008/05/14/security-and-encryption-for-sql-server-compact.aspx

I'd be wary about thinking encryption is trivial. It's quite easy to implement incorrectly.

The Corinthian

I think there are two factors to consider when choosing an approach:

• Your own skill-set and any potential licensing issues.
• The importance of encryption versus the importance of a 'light' application.

If you feel competent to write your own encryption to a level that would be sufficient for your application, then I would go for either a text/XML file or SQLite, depending on the complexity of stored data, and have actually done this in the past.

If not, you need to use third-party encryption and security and this can narrow down your options due to feature availability, licensing costs and conditions.

Text/XML files or SQLite have the smallest footprint in terms of 'bloat' on your application, Access has a larger one as your installation package will have to have the necessary libraries included (AFAIR) and more substantial database solutions such as SQL Server CE, etc will naturally cause the largest 'bloat' to your app.

So as will many things when designing an application architecture it comes down to requirements and available resources. As to implementation, many here have already given good responses on these various options.