Re: Store private key in cookie?

From: Keith Patrick (richard_keith_patrick_at_hotmail.com)
Date: 09/17/03 

Date: Wed, 17 Sep 2003 15:50:43 -0500

Storing a key in a file somewhere is generally not a good idea, as you are
not necessarily guaranteed of having correct security permissions on the
drive + any admin could get the key (I'm not a big believer in admins seeing
sensitive information, regardless of their rights). I'm not quite
understanding the architecture of what you are mentioning, but if you want
to store something like that, you could (and please someone correct me if
this is not secure) store it in the session object. If you need to store
the key long-term, XP has an API for storing sensitive information called
the Data Protection API that stores sensitive information in some protected
place in the registry. That should be a valid storage place, as it is
recommended in MS Press' "Writing Secure Code" book.

"Bill Belliveau" <noone@nowhere.com> wrote in message
news:ON7MCjJfDHA.1760@TK2MSFTNGP09.phx.gbl...
> Greetings,
>
> I am working on an asp.net storefront that requires credit card
information
> to be stored temporarily on the server. Currently the site will feature
> administrative access protected by MD5 and credit card information
encrypted
> with Rijndael. Retrieving the information will also be secured by SSL.
>
>
>
> I've seen the question posed a few times but I have yet to see a
definitive
> answer. How can I securely store the key/IV? From my readings the
general
> consensus is, I can't. Using a MD5 password wont work because the
customer
> would need to have access to the password when the information is
initially
> encrypted and storing it in the binaries is a poor solution.
>
>
>
> I was thinking of using RSA to encrypt the Rijndael key/IV. My
> implementation would use the public key to encrypt them and then store the
> private key in a cookie on a trusted 'admin' machine. From what I
> understand SSL encrypts all traffic including cookies. To write the
cookie,
> the admin might go to a specific page, paste in the xml key, and click
write
> cookie. I could encode the cookie if necessary.
>
>
>
> Any ideas are appreciated.
>
>
>
> Bill
>
>

Relevant Pages

  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Global.Asax ?
    ... > I am attempting to use the Global.Asax to store my user's configuration. ... cookie is uniquely identified by its Logon ID ... > storing user's variables inside MS/SQL Server due to performance. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Techniques to auto-login using a persistent cookie.
    ... Well you could store anything you like in a cookie, ... Instead I would be storing some kind of randomly generated identifier in the ... store (eg. a database, a file etc). ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Connection String
    ... Take note that you might want to encrypt the file if you are storing a ... Event better is to store the value in registry ... > hardcoding the connection string doesn't seem to be a good idea. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Storing an ArrayList in a cookie
    ... If the objects in the ArrayList can be serialized, ... ArrayList and then store the encoded form. ... storing an identifier in the cookie. ...
    (microsoft.public.dotnet.framework.aspnet)