Re: Where to store private key
From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 02/25/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: Novice: "Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- In reply to: David Hoffer: "Re: Where to store private key"
- Next in thread: David Hoffer: "Re: Where to store private key"
- Reply: David Hoffer: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Feb 2004 18:15:13 -0500
"David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
news:OFWBx1x%23DHA.3220@TK2MSFTNGP10.phx.gbl...
> Could you clarify this...I am new to security APIs.
>
> I thought it was common to encrypt private keys using an asymmetric
> algorithm, i.e. public key encryption?
It is common to encrypt a symmetric secret (session) key with an asymmetric
public key encryption (e.g. this is used in most S/MIME encryption approaches).
The op was asking about protection of the asymmetric (e.g. RSA/DSA) private
key itself.
My first response showed the best way to let the OS protect it for you (which really
uses underlying symmetric key encryption based on user principal credentials.
For more portability, you can export your RSA public/private keypair and encrypt
it with a password derived symmetric key. In .NET you use PasswordDeriveBytes
class to generate cryptographically strong byte sequence for symmetric key generation.
Password derived symmetric keys basically just take the hash of the password and
the actual secret symmetric key is typically the first bytes of that hash (more complicated
procedure is 3DES is the derived key).
See also the paragraph "Key Maintenance | Protecting Exported Private Keys" here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh07.asp
- Michel Gallant
MVP Security
http://www.jensign.com
> What do you mean by the "symmetric key is derived from some sort of a
> passphrase"?
>
> -dh
>
> "Derek Slager" <derek@activate.net> wrote in message
> news:pan.2004.01.22.18.58.12.535488@activate.net...
> > On Thu, 22 Jan 2004 18:48:20 +0530, Prasad wrote:
> >
> > > Hi:
> > >
> > > While using asymmetric algorithm, which is best place to store private
> > > key in client system in client-server applications.
> >
> > A common technique is to encrypt private keys using a symmetric algorithm.
> > Typically the symmetric key is derived from some sort of a passphrase.
> >
> > -Derek
> >
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: Novice: "Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- In reply to: David Hoffer: "Re: Where to store private key"
- Next in thread: David Hoffer: "Re: Where to store private key"
- Reply: David Hoffer: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
