Secure Network Credentials



Hi,

I have a .NET Windows application where I over time needs to call a Reporting Services web-service. I order for the web-service to authenticate correctly, it needs to be provided with the correct network credentials (the user logged in to my application). Also the Microsoft Report Viewer for Reporting Services needs the network credentials for displaying the reports. So basically I need the network credentials at different times. The code for calling the web-service looks like this:

ReportWS.ReportingService rs = new ReportWS.ReportingService();
rs.Credentials = new NetworkCredential("user", "password", "Domain");

At the moment I don't store the credentials I my application, I only use them when logging in to my application. How can store the credentials securely I my application and get the when I need them? I cannot store the NetworkCredential object because username and password are not encrypted in any way.

I have come up with a solution where I store the password in a secure string at login time and then when I need the credentials unpack the secure string like this:

IntPtr ustr = Marshal.SecureStringToGlobalAllocUnicode(password);
try
{
string clearTextPwd = Marshal.PtrToStringUni(ustr);
ReportWS.ReportingService rs = new ReportWS.ReportingService();
rs.Credentials = new NetworkCredential("user", clearTextPwd, "Domain");
}
finally
{
Marshal.ZeroFreeGlobalAllocUnicode(ustr);
}

I know this isn't a 100% secure solution because at some point the password is in memory as clear text, so my question is: Is there a better way to do this? What would be the best way to store and supply the credentials in my application?

Cheers
Henrik

.