I'm working on an application that works as a remote client for integrating with corporate services. It's packaged as a downloadable Windows installer, allowing a user to install it and then configure a profile for connecting with their account(s). This information, including account passwords, will be written to a local properties file for automating transactions via a Windows service. This already works, and just fine.
However... now I want to encrypt the customer's password for storage in their properties file, and decrypt at runtime to make the remote connections. I have put together sample projects using various RSA, 3DES and certificate APIs, which work as far as they go. However, nothing seems to be exactly what i need.
This will be an "on demand" service, and there will be multiple, unpredictable, client installations, so I can't generate a unique cert for every customer who wants to install the automated plug-in. What's the best way to persist encryption in a secure way on the client side?
My most promising avenue so far has been generating a (fake for now) x509 certificate, and password-protecting it in a .PFX file. i can read in the x509 with C#, open it with the keystore password (unknown to the end user), and decrypt the customer's password for use in authentication.
It would be fairly easy to bundle the .PFX file in the installer. However, this means that every customer would have the same public/private key pair in their build. Now, no customer knows who the other customers are, and they'd have to physically get the properties file from another customer to get their encrypted password, so that's not a huge concern. But I'm still not sure that's the best solution. Ideally I'd like to be able to create a unique private key for each customer, and encrypt their information using the same public key or cert. However, that's now how client certs seem to work in C#.
What am I missing? What's the best way to easily distribute an application and encrypt/decrypt the user's profile in a secure manner?
Any help would be greatly appreciated.
However... now I want to encrypt the customer's password for storage in their properties file, and decrypt at runtime to make the remote connections. I have put together sample projects using various RSA, 3DES and certificate APIs, which work as far as they go. However, nothing seems to be exactly what i need.
This will be an "on demand" service, and there will be multiple, unpredictable, client installations, so I can't generate a unique cert for every customer who wants to install the automated plug-in. What's the best way to persist encryption in a secure way on the client side?
My most promising avenue so far has been generating a (fake for now) x509 certificate, and password-protecting it in a .PFX file. i can read in the x509 with C#, open it with the keystore password (unknown to the end user), and decrypt the customer's password for use in authentication.
It would be fairly easy to bundle the .PFX file in the installer. However, this means that every customer would have the same public/private key pair in their build. Now, no customer knows who the other customers are, and they'd have to physically get the properties file from another customer to get their encrypted password, so that's not a huge concern. But I'm still not sure that's the best solution. Ideally I'd like to be able to create a unique private key for each customer, and encrypt their information using the same public key or cert. However, that's now how client certs seem to work in C#.
What am I missing? What's the best way to easily distribute an application and encrypt/decrypt the user's profile in a secure manner?
Any help would be greatly appreciated.
Comment