Wednesday, June 29, 2005

Northwest Ohio .NET User Group

I discovered that we (Toledo) had a local .NET user group after the spring MSDN event a couple of months ago. Last night, I had the opportunity to attend an actual meeting to see what it's all about.

The speaker was member Joseph Poirier who gave a presentation surrounding some of the process and difficulties that he encountered while developing a mobile dispatch application (that runs on an Intermec PPC). The lessons learned were probably useful, but Joseph made the fatal mistake of installing VS2005 beta 2 on his presentation machine that same day, and not verifying that the application that he was demonstrating correctly ported over to the new environment.

One thing that I learned, realized, or at least started thinking about, is the need to properly secure passwords in XML config files. Typically, I don't store passwords in this manner, but then again, I remember having some connection strings in plain text, which is probably a bad practice.

The decision to make is whether to fully encrypt the string using a strong encryption (System.Security.Cryptography namespace), or to perform your own encryption which is just strong enough to keep prying eyes from discovering the contents.

An algorithm to do the latter may resemble:

1. Convert string to byte array
2. Reverse bytes
3. For each byte in array, XOR the value with (A5H + byte index)
4. Store the Base64 of the byte array in the config file.

The benefit of this approach is that it's just strong enough to be effective, does not require complex code (not many people know how to use all of the Cryptography classes, myself included), and may be faster (I haven't benchmarked anything, so please flame away if this is not true).

// Encrypt/encode a string
string plaintext = Console.ReadLine();

byte[] arry = System.Text.Encoding.ASCII.GetBytes(plaintext);


for (int i=0; i < arry.Length; i++)
arry[i] ^= (byte)(0xa5 + i);

string base64 = Convert.ToBase64String(arry);


// Decrypt a previously encoded string

byte[] newarry = Convert.FromBase64String(base64);

for (int i=0; i < newarry.Length; i++)
newarry[i] ^= (byte)(0xa5 + i);


string newplaintext = System.Text.Encoding.ASCII.GetString(newarry);