Re: Secure Network Credentials



Hello,

NetworkCredential encrypts the password internally. But you are of course right - the password is there somewhere in memory unencrypted.

A more secure solution would be to use integrated authentication when possible.


Otherwise your solution should be ok, IMHO.

Kind regards,
Henning Krause


"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message news:uWYtGWNlIHA.6092@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have a .NET Windows application where I over time needs to call a Reporting Services web-service. I order for the web-service to authenticate correctly, it needs to be provided with the correct network credentials (the user logged in to my application). Also the Microsoft Report Viewer for Reporting Services needs the network credentials for displaying the reports. So basically I need the network credentials at different times. The code for calling the web-service looks like this:

ReportWS.ReportingService rs = new ReportWS.ReportingService();
rs.Credentials = new NetworkCredential("user", "password", "Domain");

At the moment I don't store the credentials I my application, I only use them when logging in to my application. How can store the credentials securely I my application and get the when I need them? I cannot store the NetworkCredential object because username and password are not encrypted in any way.

I have come up with a solution where I store the password in a secure string at login time and then when I need the credentials unpack the secure string like this:

IntPtr ustr = Marshal.SecureStringToGlobalAllocUnicode(password);
try
{
string clearTextPwd = Marshal.PtrToStringUni(ustr);
ReportWS.ReportingService rs = new ReportWS.ReportingService();
rs.Credentials = new NetworkCredential("user", clearTextPwd, "Domain");
}
finally
{
Marshal.ZeroFreeGlobalAllocUnicode(ustr);
}

I know this isn't a 100% secure solution because at some point the password is in memory as clear text, so my question is: Is there a better way to do this? What would be the best way to store and supply the credentials in my application?

Cheers
Henrik

.



Relevant Pages

  • Re: Pakistan to ban encryption software
    ... network you have access to (and of course, ... capture, which is illegal without said permission). ... But the point remains that general email is at least as secure as a letter, and that greater security than that is not generally warranted. ... card details are sold in batches as quickly as possible. ...
    (uk.legal)
  • Re: cached login credentials
    ... , it takes longer to investigate an attack and clean up after it than it does simply to nuke-and-pave, flatten-and-rebuild, whatever. ... then over time through precision monitoring of network ... Anything that does an interactive logon will store cached credentials, ... > domain admin account credentials), is a credential cached anywhere for> the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: What security package for SBS?
    ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
    (microsoft.public.windows.server.sbs)
  • Re: cached login credentials
    ... administrator accounts is a good mitigation. ... then over time through precision monitoring of network ... you have a way to limit exposure to this sort of expanded attack originating ... Anything that does an interactive logon will store cached credentials, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Wifi Security
    ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
    (microsoft.public.security)