I wanted to create a winform application that have a centralized security databa

Question

I wanted to create a winform application that have a centralized security database. This application is portable, can be save to any PC and simply run the .exe to use, hence there will be many copies of this software. However, it will require a User login, this login account credentials will refer to centralized security database(centralized DB is for security purpose only). If the PC does not have a Internet connection, the software will not be able to identify the credentials. Hence, i came up with an ideal is to put a time stamp, if the last connection to centralized is DB is < 24h, local credential(DB copy from centralized DB) login is granted. But the problem i face now is, the time stamp and 24H limit will have to refer to current system time in the PC(which can be change easily to bypass the time stamp). what is the solution? Any other method that can control the User while the application goes offline?

Explanation / Answer

There are several attack vectors here if someone wanted to pirate this software. They could modify the binary or replace the remote server with a fake one. In general, DotNET binaries can easily be disassembled or decompiled back to readable source code, for free, see http://www.jetbrains.com/decompiler/. Even worse, the code can also be edited and recompiled almost just as easily. So if you have any secrets or symmetric encryption keys in your sources, they will be compromised. This can be only mitigated a bit by using some 3rd party obfuscator but that is just delaying the inevitable. If you already have a method to bypass authentication based on timestamp in your code, you're actually making it even easier to abuse. Also the local copy of db could be used to set up a fake auth server.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.