RE: Securing an encryption key within software.

The fact is that it is pretty easy to track down a hard-coded key. The best
solution is to not store a key at all.

Since this is a program that stores passwords, I would guess that the user
must enter a master password to access the data. You should use this
password to derive an AES key for the data encryption. That way you never
have to actually store the key itself. By doing that you also have a
built-in way to verify the master password--the user enters the wrong
password and they just can't decrypt the data.

If that doesn't work for your situation, you might try using the Windows
Protected Store to keep track of the key (or part of the key).

And if that doesn't work, perhaps you could store part of the key in the
registry and make sure that only specifc users have permissions to read that

Whatever you do, make sure you have strong NTFS permissions on the program
and its database to make it harder for it to fall into the wrong hands.

Mark Burnett

-----Original Message-----
From: Davie Elliott [mailto:delliott@xxxxxxxxxxx]
Sent: Friday, June 16, 2006 3:02 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Securing an encryption key within software.

Hello everyone,

I have been writing a password storing application in Visual
Basic. The passwords are stored in a database and encrypted
with AES 256-bit.
And I have been wondering how I would stop the key from being
found, should the software somehow leave the building and
fall into the wrong hands.

Using a simple Hex Editor on the software I can see that any
strings that have been defined ("hard coded") in the software
can easily be read. So what I have done is left the "hard
coded" key in the software, but only use it to
encrypt/decrypt the database key the is held in a file, so I have:

"Hard coded" key [ENCRYPT] Database Key -----> Encrypted key
(Store in a plain text file)

When the software loads:

"Hard coded" key [DECRYPT] Encrypted key -----> Database key
(Stored in memory and used to decrypt passwords in the database).

My worry again, is that if the plaintext file and the
software managed to leave the building, the same situation will occur.

So, my question is: How does one securely store an encryption
key inside a program?

I thank you for your input.

Davie Elliott
Network Administrator
Express Link-Up Social Enterprise
Unit 4-6
Lenton Business Centre
Lenton Boulevard
t: 0115 9791200