Re: Hidden Application Data

Hey guys thanks for your answers!
My prodcut is a psuedo anti-virus application.
I need to save my user's credentials on the computer to be able to
connect to the server and check for license validity and new updates.
The reason I want to hide the user's credentials is not from the user
(although it does help prevent piracy...),
But for malicious programs who'd try to delete\modify this file and
thus disabling my product.
Any suggestions?

Thanks again!

--sternr
On Mar 22, 9:00 pm, rossum <rossu...@xxxxxxxxxxxx> wrote:
On Sat, 22 Mar 2008 11:28:42 -0700 (PDT), sternr <Ste...@xxxxxxxxx>
wrote:

Hey,
I have a commercial application, that needs to store the user's id and
password on the local machine, and we'd like to hide it from our users
(to prevent frauds etc.).

How can I store my application's data in a hidden way?
And don't tell me the obvious solutions: hidden file, registry key
etc. - isn't there a more reliable\hidden way?

Thanks ahead

--sternr

If you must keep things locally then do not store the
username/password but instead store a cryptographic hash of the
username/password.  For extra security use some random salt as well.

For a new application you should use SHA-256 as the hash.  For
cryptographic salt seehttp://en.wikipedia.org/wiki/Salt_(cryptography).

When the user enters their username and password calculate:

  hash = SHA-256(username || password || salt)  (|| = concatenate)

Store the hash and random salt locally.  When the user next enters
their password repeat the calculation and compare the hash values.  If
there is a mismatch then do not allow the user access.  Each user
should have their own different salt.

Cryptographic hashes are designed so that it is not possible to run
them backwards and deduce the original text from the hash value.  The
salt is to make dictionary attacks more difficult.

rossum

.

Relevant Pages

  • Re: Confused by salt
    ... I hope someone can help clear my confusion. ... time back that used a hash function to store a password. ... advised me that I really ought to use a salt with this in order to add ...
    (sci.crypt)
  • Re: Hidden Application Data
    ... How can I store my application's data in a hidden way? ... username/password but instead store a cryptographic hash of the ... For extra security use some random salt as well. ... For a new application you should use SHA-256 as the hash. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Hashed password secure?
    ... > would be comparing hash values of keyand this hash value would be ... What if I were to salt the password with N bits and *NOT* store the ... second average to check whether a password is correct? ...
    (sci.crypt)
  • Re: Hashed password secure?
    ... ]> would be comparing hash values of keyand this hash value would be ... ]What if I were to salt the password with N bits and *NOT* store the ... ]can store 65,536 numbers in 16 bits). ... ]attacks, the PC would check all 65,536 Salts anyway. ...
    (sci.crypt)
  • Re: Is this secure
    ... What I do in my business layer I get the salt, then I use my custom classes ... to hash the passed in password then send the Hash to a Stored Proc to ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to ...
    (microsoft.public.dotnet.framework.aspnet)