On Fri, Mar 22, 2013 at 2:56 PM, Stephen Price <[email protected]>wrote:
> Thanks all. I found the CryptoStream class and an example of its use... > Unfortunately that raised the question of "Ok, so now where do we store our > key in the app, so that no one can pull it out and use it, except for the > app." > That's the critical flaw DRM doesn't admit to. The best they can do is legislate their way around what is after all a serious technical flaw. > At which point the answer was, why didn't you research this before > suggesting it? Ok, lets go back to plain text passwords. > I did suggest password hashes, but they are one way and the requirement is > that an Admin can read them. I think I lost. > > Not real impressed with teh ProtectedData class encrypting it per > machine/user. I didn't realise until another developer tried to use it and > the penny dropped. Encrypted egg on my face. doh! Last time I did this > stuff was years ago and I think I was dealing with the Cryptography > namespace. I remember a key and an iv (salt right?) but not sure how we > kept the key safe. > I imagine if the key was to be put into an XML file that is encrypted > (here we go again!!) then the assembly would need to be signed to keep it > safe? > > Good link that Thomas, thanks. Might forward it to the boss so he sees how > simple encryption is. (NOT) > > > Good luck with that. > On Fri, Mar 22, 2013 at 10:50 AM, Jason Roberts <[email protected]>wrote: > >> Hi, yeah sounds like a key to the encryption / decryption is probably >> what you want assuming there are multiple boxes and/or you want option to >> scale out. I think you can just use the stuff in the Cryptography >> namespace. Just bear in mind that securing the keys will be important. But >> it would be better to use a one way hash (salted) and just let admins reset >> the password, more secure, and possible audit problems?? But don't know the >> specific requirements though. >> ------------------------------ >> From: Stephen Price >> Sent: 22/03/2013 10:06 AM >> >> To: ozDotNet >> Subject: Encryption >> >> Hey all, >> >> http://msdn.microsoft.com/en-us/library/ms229741.aspx >> >> "...which allows you to encrypt data using information from the current >> user account or computer. " >> >> I'm using ProtectedData to encrypt and decrypt passwords so they can be >> stored in database encrypted, but they want to be able to see what the >> password is for administrators. It all works great except when a user logs >> in (using a custom principal, not the user who did the encryption.. ie the >> Admin) and it doesn't work as the user is different, or the machine is >> different. >> >> I'm looking for a way to encrypt and decrypt at an app level rather than >> user/machine level. Don't mind if keys are involved. Anyone done this and >> is there a framework class somewhere for that? >> >> cheers, >> Stephen >> > > -- Meski http://courteous.ly/aAOZcv "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough" - Adam Hills
