RE: TripleDES Key Management
From: Mike Moore [MS] (michmo@online.microsoft.com)
Date: 01/17/03
- Next message: Mike Moore [MS]: "RE: Windows Domain Groups in Authorization section sans AD"
- Previous message: Xu Hang: "SignOut Doesn't work"
- In reply to: paul reed: "TripleDES Key Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: michmo@online.microsoft.com ("Mike Moore [MS]") Date: Fri, 17 Jan 2003 02:48:01 GMT
Hi Paul,
I'm sorry for the delay. Yes, there is a good article that says just what
you wrote: "Consider hard-coding the entropy parameter into your
application to avoid the key management issue."
Source:
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch12.asp
The article agrees with you completely. If you can, use the machine store.
If you cannot, then either use a user store or "hide" your key inside your
compiled code.
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
>Content-Class: urn:content-classes:message
>From: "paul reed" <prreed@jacksonreed.com>
>Sender: "paul reed" <prreed@jacksonreed.com>
>Subject: TripleDES Key Management
>Date: Tue, 14 Jan 2003 16:37:22 -0800
>Lines: 28
>Message-ID: <5bf801c2bc2e$4499e8d0$8af82ecf@TK2MSFTNGXA03>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Thread-Index: AcK8LkSZATZ2ImFpSsuCAHSDWz09Iw==
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa09
>Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3639
>NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have all my tripleDES stuff working just fine thanks to
>help received in this group and others. However, I have a
>problem of how/where to manage my keys used to
>encrypt/decrypt my uid/pswrd for SQL Server.
>
>First, I am going to be running this .NET application at
>an ISP that hosts .NET applications. So, we must us SQL
>Server authentication. We also are not allowed to use the
>Registry, or do anything with ACLs on any directories...as
>well as cannot touch the machine.config file.
>
>So, right now I plan to (...with sage advice to the
>contrary) to store my encrypted uid/pwd in the web.config
>file. I don't want to use DPAPI to encrypt the entire
>connection string because we must use the machine approach
>and if the ISP ever "transparently" moved our app to a new
>machine, then then a different hash would be created
>causing even more grief.
>
>Ok...so this brings me to...where should I put the key and
>IV values to decrypt the information? Any ideas given my
>situation? One suggestion read somewhere on MSDN was to
>just "bury them in the code". This might not be a bad idea
>as we are only moving the binaries to the ISP.
>
>Regards,
>
>Paul Reed
>
- Next message: Mike Moore [MS]: "RE: Windows Domain Groups in Authorization section sans AD"
- Previous message: Xu Hang: "SignOut Doesn't work"
- In reply to: paul reed: "TripleDES Key Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
