Securing Client Password on Client Machine

 

When using the ChannelFactory class or a Generated Proxy to access a WCF Service is it possible to secure the client password on the client machine?

Note: I am not talking about securing the password while it is going over the wire. Rather I am asking if it is possible to secure the password on the client's machine so that someone could not use a tool to expose the password while the user was logged on via a client application.

I believe this to be an impossible goal. No matter how I obtain and secure the password from the user - The password will be exposed when setting the ClientCredentials on the ChannelFactory or Proxy object.

For example when setting ClientCredentials on a ChannelFactory object: 

var myChannelFactory = new ChannelFactory<IMyService>(myBinding, myEndpoint);
myChannelFactory.Credentials.UserName.UserName = GetUserName();
// Password will be set on channel factory as a string
myChannelFactory.Credentials.UserName.Password = GetPassword();

As long as the ChannelFactory instance is in memory then the password is insecure if someone possesses the client machine. I understand that encryption can be broken and that placing any file into the right hands means that it can be compromised. However, I wanted to see if at a minimum I could make someone work for it - but this seems to be a hole that limits what a developer can do to protect a system in the event that a client machine is physically accessed.

Is this just a fact of life when using Username/Password authentication to access a service?

What if you used a hash of the password on the client machine and then matched it to the hash on the WCF Service? That way you could store and send just the hash.

I've also done it where I would store the hash, but when I went to use it I would combine it with DateTime.UtcNow.ToString("DDHH") (Day + Hour) and hash it again. If it failed to match on the WCF side I would recheck using the hour before and the hour after. see here for hashing.

链接地址: http://www.djcxy.com/p/3682.html

上一篇: 如何限制PHP中的用户登录尝试

下一篇: 在客户端计算机上保护客户端密码