Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

C# Two way encryption of username and password combinations

Options
  • 24-09-2012 11:35pm
    #1
    BrokenArrows
    Registered Users Posts: 7,501 ✭✭✭


    Im creating an sftp server using We Only Do components We Only Do

    I need to store the usernames and passwords locally in order to compare them to authenticate.

    Unfortunately the we only do components only returns the username and password in plain text so storing only a hash of the passwords is not an option.

    There seems to be an abundance of two way encryption methods available online but there doesn't seem to be any recent discussions on which is currently the most secure.
    Will the .Net encryption be enough http://support.microsoft.com/kb/307010

    I am currently using my own encryption method for development purposes but i wouldn't like to put that to the test!

    Anyone have any experience implementing two way encryption and can you suggest anything?


Comments

  • Options
    #2
    Giblet
    Registered Users Posts: 11,979 ✭✭✭✭Giblet


    I've worked with both BCrypt and AES256, both are known and tested. You need to think how you are going to store the encryption key & salt/IV. The key needs to be kept safe, shouldn't be stored along with the salt or the password. The salt/IV can be stored in plaintext as another field (No encryption method worth it's salt..hah...should expose the cipher just through a plaintext salt/iv), or as part of the password (first/last/2N bytes) and then read when you need to decrypt. I'd recommend AES256 as while BCrypt seems secure, it isn't as tested and you might have dodgy implementations in .NET (There was some issue with BCrypt.NET If I recall correctly.) All passwords should be stored as bytes (varbinary) and you should use a consistent encoding for the database and application.

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.aes.aspx
    http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx


  • Options
    #3
    stevenmu
    Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    I might be misunderstanding what you are doing, but can you not store the details hashed, then when you get a plain text username/password from We Only Do, hash it and compare to your stored values?


  • Options
    #4
    BrokenArrows
    Registered Users Posts: 7,501 ✭✭✭BrokenArrows


    stevenmu wrote: »
    I might be misunderstanding what you are doing, but can you not store the details hashed, then when you get a plain text username/password from We Only Do, hash it and compare to your stored values?

    You are correct and I am an idiot. Lol.

    I was getting myself confused because I was also encrypting the username and needed to decrypt it to show in the configuration tool but there is no need to encrypt the username.


  • Options
    #5
    Giblet
    Registered Users Posts: 11,979 ✭✭✭✭Giblet


    Problem solved so :)


  • Options
    #6
    BrokenArrows
    Registered Users Posts: 7,501 ✭✭✭BrokenArrows


    I'm almost ready to release a beta version of the Sftp server.
    If anyone is interested in it email me on windsftp@gmail.com


  • Advertisement
Advertisement