Storing My Amazon Credentials in C# Desktop App

Question

I\'m Looking at using Amazon S3 and simpleDB in a desktop application.

The main issue I have is that I either need to store my aws credentials in the application or use

Answer 1

Tim, you're indeed hitting on the two key approaches:

1. NOT GOOD ENOUGH: store the secret key "secretly" in the app. There is indeed a grave risk of someone just picking it out of the app code. Some mitigations might be to (a) use the DPAPI to store the key outside the app binary, or (b) obtain the key over the wire from your web service each time you need it (over SSL), but never store it locally. No mitigation can really slow down a competent attacker with a debugger, as the cleartext key must end up in the app's RAM.

2. BETTER: Push the content that needs to be protected to your web service and sign it there. The good news is that only the request name and timestamp need to be signed -- not all the uploaded bits (I guess Amazon doesn't want to spend the cycles on verifying all those bits either!). Below are the relevant code lines from Amazon's own "Introduction to AWS for C# Developers". Notice how Aws_GetSignature gets called only with "PutObject" and a timestamp? You could definitely implement the signature on your own web service without having to send the whole file and without compromising your key. In case you're wondering, Aws_GetSignature is a 9-line function that does a SHA1 hash on a concatenation of the constant string "AmazonS3", the operation name, and the RFC822 representation of the timestamp -- using your secret key.

   DateTime timestamp = Aws_GetDatestamp();
   string signature = Aws_GetSignature( "PutObject", timestamp );
   byte[] data = UnicodeEncoding.ASCII.GetBytes( content );
   service.PutObjectInline( "MainBucket", cAWSSecretKey, metadata,
           data, content.Length, null,
           StorageClass.STANDARD, true,
           cAWSAccessKeyId, timestamp, true,
           signature, null );
   

EDIT: note that while you can keep the secret key portion of your Amazon identity hidden, the access key ID portion needs to be embedded in the request. Unless you send the file through your own web service, you'll have to embed it in the app.