Re: Where to store private key
From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 02/25/04
- Next message: Schneider: "WindowsPrincipal.IsInRole() showing strange behavior"
- Previous message: Alek Davis: "Re: Where to store private key"
- In reply to: Alek Davis: "Re: Where to store private key"
- Next in thread: David Hoffer: "Re: Where to store private key"
- Reply: David Hoffer: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Feb 2004 11:12:05 -0800
Sorry, mistyped your name; must be the ego thing ;-). I meant: David.
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:uDCtTA9%23DHA.3772@TK2MSFTNGP11.phx.gbl...
> Davis,
>
> As Michael said, it is a fundamentally difficult problem to solve, so
there
> is no silver bullet. There are, however, some known techniques which are
> better than others. If you are new to security, check the "Safeguard
> Database Connection Strings and Other Sensitive Settings in Your Code"
> article at
>
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx.
> It will not give you the direct answer (i.e. this is what you need to do),
> because it very much depends on the type of application, environment, etc,
> but at the least, it will give you some pointers and may help you pick a
> reasonable option (and avoid obviously bad decisions).
>
> Alek
>
> "David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
> news:exWbNY8%23DHA.1036@TK2MSFTNGP10.phx.gbl...
> > Thanks for the reply. However being quite new to security I still don't
> > 'get' it.
> >
> > I want to store some data encrypted in an SQL Server database. So that
> only
> > my applications can get the real data (unencrypted). I am using the
> managed
> > Rijndael class to encrypt the data. My problem is how do I store the
key
> > (and I suppose the IV, I am using the same for both) so that my .NET
Form
> > applications (2) will be able to get the data but nobody else.
> >
> > If I use PasswordDeriveBytes as the article suggests, see the following
> > code, it seems to me that I know have the same problem except that
instead
> > of securely storing my Rijndael key I know have to store my "strong
> > password" securely. What have I gained? I don't need absolute
security.
> I
> > just want to make it quite difficult to use the data I am storing in SQL
> > Server. What am I missing? Are there some techniques where I can
> > 'actually' store the key or password in my .NET code but do so in a way
> that
> > disassemblers can not easily show the storage?
> > PasswordDeriveBytes deriver = new PasswordDeriveBytes("strong password",
> > null);
> >
> > byte[] ivZeros = new byte[8];//This is not actually used but is
currently
> > required.
> >
> > //Derive key from the password
> >
> > byte[] pbeKey = deriver.CryptDeriveKey("TripleDES", "SHA1", 192,
ivZeros);
> >
> > Thanks for any help you can provide...
> >
> > -dh
> >
> >
> >
> > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > news:%23Fgxcwy%23DHA.2292@TK2MSFTNGP12.phx.gbl...
> > > "David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
> > > news:OFWBx1x%23DHA.3220@TK2MSFTNGP10.phx.gbl...
> > > > Could you clarify this...I am new to security APIs.
> > > >
> > > > I thought it was common to encrypt private keys using an asymmetric
> > > > algorithm, i.e. public key encryption?
> > >
> > > It is common to encrypt a symmetric secret (session) key with an
> > asymmetric
> > > public key encryption (e.g. this is used in most S/MIME encryption
> > approaches).
> > >
> > > The op was asking about protection of the asymmetric (e.g. RSA/DSA)
> > private
> > > key itself.
> > > My first response showed the best way to let the OS protect it for you
> > (which really
> > > uses underlying symmetric key encryption based on user principal
> > credentials.
> > >
> > > For more portability, you can export your RSA public/private keypair
and
> > encrypt
> > > it with a password derived symmetric key. In .NET you use
> > PasswordDeriveBytes
> > > class to generate cryptographically strong byte sequence for symmetric
> key
> > generation.
> > >
> > > Password derived symmetric keys basically just take the hash of the
> > password and
> > > the actual secret symmetric key is typically the first bytes of that
> hash
> > (more complicated
> > > procedure is 3DES is the derived key).
> > >
> > > See also the paragraph "Key Maintenance | Protecting Exported Private
> > Keys" here:
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh07.asp
> > >
> > > - Michel Gallant
> > > MVP Security
> > > http://www.jensign.com
> > >
> > >
> > > > What do you mean by the "symmetric key is derived from some sort of
a
> > > > passphrase"?
> > > >
> > > > -dh
> > > >
> > > > "Derek Slager" <derek@activate.net> wrote in message
> > > > news:pan.2004.01.22.18.58.12.535488@activate.net...
> > > > > On Thu, 22 Jan 2004 18:48:20 +0530, Prasad wrote:
> > > > >
> > > > > > Hi:
> > > > > >
> > > > > > While using asymmetric algorithm, which is best place to store
> > private
> > > > > > key in client system in client-server applications.
> > > > >
> > > > > A common technique is to encrypt private keys using a symmetric
> > algorithm.
> > > > > Typically the symmetric key is derived from some sort of a
> passphrase.
> > > > >
> > > > > -Derek
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Schneider: "WindowsPrincipal.IsInRole() showing strange behavior"
- Previous message: Alek Davis: "Re: Where to store private key"
- In reply to: Alek Davis: "Re: Where to store private key"
- Next in thread: David Hoffer: "Re: Where to store private key"
- Reply: David Hoffer: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
