1

I am new to cyber security but I am working on a project where I need to use it and I don't know where to start.

The application I am working on connects to Jira to retrieve data and generate reports. For the connection, I want to use a specific username and password. I cannot set them as a string in my code because every user would get my credentials. So, I thought about writing an encrypted file.

The thing is if want to decrypt my file I will need to provide the decryption key in my code. and I think this is not secure at all because anyone that had access to the key could easily decrypt the file and therefore get my credentials.

I found a method that encrypts a file and makes it so that the only person that would decrypt is the user who encrypted it. The problem is that the admin is the only one who has the right to encrypt the files and this will only mean that he would be the only one for whom the connection to Jira would work as he is the only one able to decrypt the credentials.

I am also worried that if I read and decrypt the credentials then anyone could use a console.writeline and get the credentials.

I am using c# for my application.

Are there any ways I can secure my credentials?

To connect and retrieve data from JIRA I need the username and password because I add them to my request header to connect and retrieve data.

schroeder
  • 123,438
  • 55
  • 284
  • 319
naxcuo
  • 13
  • 4
  • 1
    I would suggest looking at this thread: https://stackoverflow.com/questions/32548714/how-to-store-and-retrieve-credentials-on-windows-using-c-sharp – Sean Aug 27 '18 at 12:32
  • 1
    Or this question: https://security.stackexchange.com/questions/20294/how-should-an-application-store-its-credentials - The accepted answer has a valid solution of storing credentials in a file that is only readable by the program in question. – SeeYouInDisneyland Aug 27 '18 at 12:35
  • Your comment below includes some very important details: this is an open source app to be used by multiple users. Why do you want to use your personal hard-coded credentials for all those connections? – schroeder Aug 27 '18 at 14:12

2 Answers2

1

There is a bit of a Chicken and Egg Problem.

The only thing that can be used is User Permission on the Device. That means that there is a File that only the User from the Application can Read (OS-Permissions) or a Services where only the Logged In User has access to (example: Windows Credential Management API).

Any other option is just more Obfuscation than "Encryption". How will you encrypt something, where you get a secret, without enter the another secret but other users should not get your secret. All options just go to a deeper Obfuscation (first Hardcoded, secound a scrambeld String, then a scrambeld String with another Random String linked,...)

Serverfrog
  • 586
  • 7
  • 18
0

please hash your password using MD5 or SHA and add a salt key to your hashed password. In password checking field again get the data from text box of password and hash using the same algorithm which used before and add salt key value then compare both values.

R1W
  • 1,617
  • 3
  • 15
  • 30
Megala Shanmugam
  • 11
  • 1
  • the thing is i don't want anybody to enter username and password because nobody should know the username and password. i am going through all this cyber security process because i want the app to know them hide them from the users and use them. the app is also not pre-compiled and wouldn't be installed. it's code. the engineers who use it have to modify some parts of the code according to the project they want to use the app for. (this part is not my choice i'm just adding functionality to an existing app for my client who doesn't want to change the app) – naxcuo Aug 27 '18 at 13:35
  • 1
    OP problem is not password check, is password storage. Your answer is for another kind of problem. – ThoriumBR Aug 27 '18 at 14:12