The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Storing "project files"

Hello, in my application the user will be able to "store" his project's configuration.

Stuff like
* Project Name
* Project type
* Relevant Paths
* Username, Password
* Other

This is stuff the program will latter be able to read and re-apply all those options.

I was thinking about saving it in XML but the problem is that the project may have a password and if so, we dont want other people looking at it.

So it must be encripted somehow.

So anyone got advice about this?

Thanks.
ThisTimeICodeInC#
Tuesday, July 10, 2007
 
 
You can still use XML if you want (though I am not saying you should). Assuming only your application will be reading/modifying these files, if something is encrypted, just store it as an element encoded in base64. When someone tries to access that project, decode the base64 element, then try to validate the resulting byte string as the XML type you are expecting. If it validates, then everything is good. If it does not, the decoding didn't work.
David Send private email
Tuesday, July 10, 2007
 
 
"You can still use XML if you want (though I am not saying you should)."

What would you recommend?

Thanks.
ThisTimeICodeInC#
Tuesday, July 10, 2007
 
 
BTW I was actually thinking about encripting the whole file.
ThisTimeICodeInC#
Tuesday, July 10, 2007
 
 
An XML file is fine for everything except the username and password. I can't recommend a better technique without knowing what your application is, or where it will be deployed.

For example, it's common to have a web application run under the web server's account name such that only that account can read/write files. Specific application tasks can be authorized via password hashes stored in the database if there is one. The first person to visit a certain page (when the application is deployed) sets the password. As a result, there are no plain text passwords stored in files to compromise.

Desktop applications require a different philosophy.

For your purposes, put it in an XML file if you have the code in place to deal with user mistakes. Someone forgets a tag, you return an error.  Someone deletes the file by mistake, you return an error.  Etc etc. The stuff you really need to control access to in the sense of "you can do this, but you over there, yes you, get away from there" goes into something else.

Don't mix configuration with authentication and authorization.
TheDavid
Tuesday, July 10, 2007
 
 
+1 for needing more info.

You certainly can encrypt part or all of an XML file, but the use of XML for this type of data may or may not be a good idea depending on the application.

Considerations:

* Do you want people to be able to read and/or modify this data outside of your application?

* Do you need to protect (encrypt) all of this data, or just parts of it?

* Would you expect someone to pick up this file, move it to another computer, and be able to use it as-is (including any logins)?
D. Lambert Send private email
Tuesday, July 10, 2007
 
 
Hello, thanks for your comments.

It's a desktop application. I thought about XML because it seams a decent way to represent the information I want, example:

<project>
 <projectname>My Project</projectname>
 <directory>c:\\myproject\</projectname>
 <datasource>127.0.0.1</datasource>
 <datasourceusername>myuser</datasourceusername>
 <datasourcepassword>password</datasourcepassword>
 <projectrequiresauth>true</projectrequiresauth>
 <projectusername>myuser</projectusername>
 <projectpassword>mypassword</projectpassword>
 <more>
  <info>..</info>
  <info>..</info>
 </more>
</project>

Then a parser would load all this into a Configuration Object of some kind and do post processing with that object.

"* Do you want people to be able to read and/or modify this data outside of your application?"

No. Probably better if they dont to avoid problems.

"* Do you need to protect (encrypt) all of this data, or just parts of it?"

Well I want the user to be able to create a project that's not encripted, and to give encription options if needed.  And I figure, if we are going to encrypt (when the user wants) why not encript all the file?

"* Would you expect someone to pick up this file, move it to another computer, and be able to use it as-is (including any logins)? "

It would be Nice to have such a feature.

Thanks.
ThisTimeICodeC#
Tuesday, July 10, 2007
 
 
Ok - if you don't want people to be able to modify data outside your application, then plain-text XML might not be your best choice.  Leaving your data open like that just invites people to mess with it.

Maybe it would make sense to think about how would you store this data if it weren't in XML?  Database?  Serialized objects?

I'm still a little unclear on the use of the user id's and passwords -- these imply that there's some server against which you're going to authenticate.  As soon as you store the UID / PWD pair, you really compromise the value of logging in.

Example: In order to use this application, you have to have a login and password, or you could just have someone email you one of their project files and use the login and password in that file.  The authentication gets pretty weak pretty quickly.
D. Lambert Send private email
Tuesday, July 10, 2007
 
 
"I'm still a little unclear on the use of the user id's and passwords -- these imply that there's some server against which you're going to authenticate."

The project can contain data that you want to keep safe.

For example, the project works with databases. So you need to keep your database IP, it's Username and it's Password.

That goes into the config file for later usage.

Now, you could just be messing around with a sample DB - and you don't mind to have a password stored in your file. But then again you might want to keep it saver - so you chose to "Save With Authentication" and it Encrypt the Project File.

You then save the file and quit the application.

Next day you want to do some work on the same project. You go to the program and do Open Project. You chose the file, it's encrypted and you need to put your Username / Password to decrypt it. (Well this would only need a key to decrypt, so u/p => pass key). You put the file pass key and the file is decrypted and the project is rebuilt.

Thanks for your comments.
ThisTimeICodeC#
Tuesday, July 10, 2007
 
 
Ok, we're talking about two separate things. Information that needs to be protected, including database passwords, and controls on that information.

With respect to the first, you may be able to get away with serializing the object representing the database connection, including its password. Then all you have to worry about is just encrypting all of the project related data files.

However, the data in the database is still plain text.

We're drifting into "Security is a Process" territory here (search for the phrase on these forums for lots of opinions on how far you should go to secure stuff).

The easiest way to handle something like this is to basically write down all the data you plan to capture, err...  name, phone number, address, database password, etc, and rationally decide which of these need to be protected unto themselves.

Err... I've seen applications that will ask you for the password to the database (or repository), they'll transmit that, but they never store it themselves. If that's something you're comfortable doing every session and just keeping it in memory until they log out, that eliminates the need to protect the password as data, so to speak.

And on a personal note, if I wanted to encrypt my project files, I'd feel more comfortable using my own operating system's tools or a third party tool, than yours. If I let you encrypt them, then it's essentially vendor lock-in. If you don't want me to have access to those files when I don't have a license, you're probably better off just serializing them.
TheDavid
Tuesday, July 10, 2007
 
 
Well storing the password to the database access in the project file is not a must have. It's fine if the user inserts it manually when needed.

BTW what do you recommend using instead of XML to keep a project information file without any information that must be encrypted? Serialized objects in a file?

Thanks.
ThisTimeICodeInC#
Thursday, July 12, 2007
 
 
Have you looked into the Settings stuff provided with the .NET framework? With Visual Studio 2005, you even get a designer-generated Settings class that holds strongly-typed settings data. I believe there's built-in support for encrypting desired settings as well.
Jesse Send private email
Sunday, July 15, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz