Howto- Authenticate encrypted username/password in app.config from client to server.

Question

I have a client, which communicates to a TCP server. I store a username/password in the app.config. I want to encrypt the username/password and also the app.config will be encrypted as per standard method (which I know how to do).

I'm assuming i'm going to need a provider server side, that will take the encrypted user/pass and authenticate it. The server is also driven by an asp.net application which will use the standard membership provider, if the server is using Sql Server as it's db, or something similar for Sqlite/Oracle.

So the questions are.

1. What is the ideal provider on the server side to authenticate the user.
2. What is the accepted way to encrypt the user/name and password.
3. Or does the server need custom user/passw validator that takes encrypted user/pass.
4. Can I somehow hook the server user/pass provider into the asp.net membership provider.

5. For the ideal provider, do I need to create accounts on the server.

   There is likely upwards of 500+ clients.

   Thanks very much. Bob.

Answer 1

I have a client, which communicates to a TCP server. I store a username/password in the app.config. I want to encrypt the username/password and also the app.config will be encrypted as per standard method (which I know how to do).

I certainly hope not!

Never store the actual password! Always store a cryptographically hashed version of it! Also, tell me what application you're working on so that I don't give it a password I care about. I don't trust you to write security-related code.