Securing (windows forms) application setting

Joined
Mar 26, 2009
Messages
15
Programming Experience
Beginner
Hi,

I'd like to protect an application setting from users but I'm not sure what technique(s) to use. Here's the scenario:

I have developed an application that is used to configure settings on a number of different hardware devices. Each type of device although very similar differs terms of some feature - for example "number of ports", which could be 2,4 or 6 etc. In order to configure the hardware correctly the software only needs to know the number of ports that the device supports. This information is stored on the device and I can retrieve it at runtime when the application connects to the device. (I want to avoid having to compile different versions of the software to distribute with different devices).

The thing is that my software must function correctly when not connected to the device so I need to retrieve this setting and store it somewhere. If the software is started without being connected to the device then it will use the value of this setting to configure itself accordingly. Obviously the user must connect to the device once in order for the software to do anything (which I dont mind). The key thing is I dont want the user to be able to easily access this setting and change its value (e.g. they must be prevented from changing the "number of ports" from 2 to 4).

I was thinking of encrypting and storing the setting in the app.config file. I've used the app.config previously for storing stuff that doesn't need to be protected and I found it very easy to use. However, I have a few concerns/questions when things need to be secured.

As this sofware application is eventually going to be distributed to clients/customers, whatever technique I use must work on different users PCs. From what I've read certain techniques (or implementations) will work only on the machine that you've used to perform the encryption etc. I presume that's if I were distributing an encrypted value or something. In my case the setting will be blank and will only be populated when the user uses the software and connects to the device (so presumably all encryption will take place on the customers PC). If the whole encryption process occurs on a users PC is there anything stopping them having access to all the information they need to decrypt the setting (not withstanding the fact they must know what they are doing etc.)? If so can I supply a private key that can be used to better secure things? With tools like Reflector etc I'm not sure if anything is secure?

In summary the steps would be

1. Sofware starts and checks value of SecureSetting.
2. If SecureSetting is blank then software prompts the user to connect to the device from where the information is retrieved.
3. Value is retrieved from the device and used to configure the UI and then it's securely stored as SecureSetting in app.config for subsequent use.
4. When software is started the next time the value of SecureSetting is retrieved and used to configure UI etc.
5. If the user connects to a different device the settings can be compared and if they are different the UI can be reconfigured etc. and the new setting can be written/added to the app.config.

Any guidance would be greatly appreciated (I'm a security newbie and I'm a bit lost with all the information that's out there). I'm using VB.NET 2005 / .Net 2.0.

Thanks,

Norman
 
Back
Top