Re: Where to store private key

From: David Hoffer (dhoffer.remove_at_xrite.remove.com)
Date: 02/25/04 

Date: Wed, 25 Feb 2004 12:37:30 -0500

Thanks for the reply. However being quite new to security I still don't
'get' it.

I want to store some data encrypted in an SQL Server database. So that only
my applications can get the real data (unencrypted). I am using the managed
Rijndael class to encrypt the data. My problem is how do I store the key
(and I suppose the IV, I am using the same for both) so that my .NET Form
applications (2) will be able to get the data but nobody else.

If I use PasswordDeriveBytes as the article suggests, see the following
code, it seems to me that I know have the same problem except that instead
of securely storing my Rijndael key I know have to store my "strong
password" securely. What have I gained? I don't need absolute security. I
just want to make it quite difficult to use the data I am storing in SQL
Server. What am I missing? Are there some techniques where I can
'actually' store the key or password in my .NET code but do so in a way that
disassemblers can not easily show the storage?
PasswordDeriveBytes deriver = new PasswordDeriveBytes("strong password",
null);

byte[] ivZeros = new byte[8];//This is not actually used but is currently
required.

//Derive key from the password

byte[] pbeKey = deriver.CryptDeriveKey("TripleDES", "SHA1", 192, ivZeros);

Thanks for any help you can provide...

-dh

"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:%23Fgxcwy%23DHA.2292@TK2MSFTNGP12.phx.gbl...
> "David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
> news:OFWBx1x%23DHA.3220@TK2MSFTNGP10.phx.gbl...
> > Could you clarify this...I am new to security APIs.
> >
> > I thought it was common to encrypt private keys using an asymmetric
> > algorithm, i.e. public key encryption?
>
> It is common to encrypt a symmetric secret (session) key with an
asymmetric
> public key encryption (e.g. this is used in most S/MIME encryption
approaches).
>
> The op was asking about protection of the asymmetric (e.g. RSA/DSA)
private
> key itself.
> My first response showed the best way to let the OS protect it for you
(which really
> uses underlying symmetric key encryption based on user principal
credentials.
>
> For more portability, you can export your RSA public/private keypair and
encrypt
> it with a password derived symmetric key. In .NET you use
PasswordDeriveBytes
> class to generate cryptographically strong byte sequence for symmetric key
generation.
>
> Password derived symmetric keys basically just take the hash of the
password and
> the actual secret symmetric key is typically the first bytes of that hash
(more complicated
> procedure is 3DES is the derived key).
>
> See also the paragraph "Key Maintenance | Protecting Exported Private
Keys" here:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh07.asp
>
> - Michel Gallant
> MVP Security
> http://www.jensign.com
>
>
> > What do you mean by the "symmetric key is derived from some sort of a
> > passphrase"?
> >
> > -dh
> >
> > "Derek Slager" <derek@activate.net> wrote in message
> > news:pan.2004.01.22.18.58.12.535488@activate.net...
> > > On Thu, 22 Jan 2004 18:48:20 +0530, Prasad wrote:
> > >
> > > > Hi:
> > > >
> > > > While using asymmetric algorithm, which is best place to store
private
> > > > key in client system in client-server applications.
> > >
> > > A common technique is to encrypt private keys using a symmetric
algorithm.
> > > Typically the symmetric key is derived from some sort of a passphrase.
> > >
> > > -Derek
> > >
> >
> >
>
>

Relevant Pages

  • Re: Where to store private key
    ... There are, however, some known techniques which are ... However being quite new to security I still don't ... > Rijndael class to encrypt the data. ... >> uses underlying symmetric key encryption based on user principal ...
    (microsoft.public.dotnet.security)
  • Re: Column level encryption - IDS 10
    ... you can not store an encrypted number in only 4 bytes. ... Undermining that effect is last comment on slide 17 "do not normally encrypt 4-byte integer numbers", which can be taken as meaning 'you cannot encrypt 4-byte integers'. ... Ignoring blobs, you will store the encrypted data in a CHARcolumn; if you are dealing with blobs, you'll still store those in blob columns. ... If you are planning to encrypt a 4-byte integer, you need to realize that it will be converted by the ENCRYPT_XXX function into a string value - IDS is good at that. ...
    (comp.databases.informix)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.security)
  • Re: Store private key in cookie?
    ... Storing a key in a file somewhere is generally not a good idea, ... this is not secure) store it in the session object. ... > I was thinking of using RSA to encrypt the Rijndael key/IV. ... > private key in a cookie on a trusted 'admin' machine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: AES Symmetric Key Secure Storage
    ... a background service to encrypt and decrypt your key on the local system, ... But putting the encrypt/decrypt operation in a background service ... We want a secure location to store ... > the symmetric key on file or in the registry is not recommended. ...
    (microsoft.public.platformsdk.security)