Securing an encryption key within software.

From: "Davie Elliott" <delliott@xxxxxxxxxxx>
Date: Fri, 16 Jun 2006 09:59:12 +0100

Hello everyone,

I have been writing a password storing application in Visual Basic. The
passwords are stored in a database and encrypted with AES 256-bit.
And I have been wondering how I would stop the key from being found, should
the software somehow leave the building and fall into the wrong hands.

Using a simple Hex Editor on the software I can see that any strings that
have been defined ("hard coded") in the software can easily be read. So what
I have done is left the "hard coded" key in the software, but only use it to
encrypt/decrypt the database key the is held in a file, so I have:

"Hard coded" key [ENCRYPT] Database Key -----> Encrypted key (Store in a
plain text file)

When the software loads:

"Hard coded" key [DECRYPT] Encrypted key -----> Database key (Stored in
memory and used to decrypt passwords in the database).

My worry again, is that if the plaintext file and the software managed to
leave the building, the same situation will occur.

So, my question is: How does one securely store an encryption key inside a
program?

I thank you for your input.

Davie Elliott
Network Administrator
Express Link-Up Social Enterprise
Unit 4-6
Lenton Business Centre
Lenton Boulevard
Nottingham
NG7 2BY
t: 0115 9791200
w: www.eluse.co.uk

Follow-Ups:
- Re: Securing an encryption key within software.
  - From: Saqib Ali

Prev by Date: Re: user internet usage monitoring
Next by Date: RE: Email expiration?
Previous by thread: Being able to apply GPO's to platforms other than Windows
Next by thread: Re: Securing an encryption key within software.
Index(es):
- Date
- Thread

Relevant Pages

Securing an encryption key within software.
... passwords are stored in a database and encrypted with AES 256-bit. ... encrypt/decrypt the database key the is held in a file, ...
(Focus-Microsoft)
Re: Pathname to access and usernames in shortcut
... >> network drive (for maintenance reasons initially, ... >> using usernames but no passwords. ... change their passwords within the access database (they won't know how ... >> gets the current username from the system and then calls access (via the ...
(microsoft.public.access.security)
Re: security issues
... It was obviously never meant to be; multiple defences against it being ... The Ubuntu installer uses a framework called debconf to do ... when you're asking for passwords ... you take a lot of care to clean them out of the database ...
(Ubuntu)
Re: Basic security questions
... > question be able to open the database in the appropriate view. ... > Isn't there any way to just set up users with passwords that are saved ... How would I specify a relative path for the ... The path to the workgroup file is defined in a shortcut in the format: ...
(microsoft.public.access.security)
Re: Windows service
... if you know all of this why you recommend to Rotsey not to use Domain Security? ... It's easily cracked, doesn't have any metering on it to prevent brute force attacks, transmits the credentials to the database in plain-text, and doesn't integrate at all into the standard security infrastructure already being used by the organization. ... There's no default monitoring of the invalid password attempts, no automatic account lock-out, etc. There's a ton of documentation on this found on the web. ... It's one less set of passwords to remember, less configuration in the long run, fewer plain-text passwords floating around in email & config files. ...
(microsoft.public.dotnet.languages.csharp)