Re: Where to store private key
From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 02/25/04
- Next message: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: aTiRuZ: "Re: SignedXML, References and "Malformed reference element" error"
- In reply to: Alek Davis: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Feb 2004 14:33:30 -0500
I strongly recommend folks here to watch Bill Gates presentation
at RSA 2004. There is very good perspective here on most of the
current urgent infrastructure security issues, including comments on
passwords :-)
http://2004.rsaconference.com/press-video.aspx
- Mitch Gallant
MVP Security
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:uDCtTA9%23DHA.3772@TK2MSFTNGP11.phx.gbl...
> Davis,
>
> As Michael said, it is a fundamentally difficult problem to solve, so there
> is no silver bullet. There are, however, some known techniques which are
> better than others. If you are new to security, check the "Safeguard
> Database Connection Strings and Other Sensitive Settings in Your Code"
> article at
> http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx.
> It will not give you the direct answer (i.e. this is what you need to do),
> because it very much depends on the type of application, environment, etc,
> but at the least, it will give you some pointers and may help you pick a
> reasonable option (and avoid obviously bad decisions).
>
> Alek
>
> "David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
> news:exWbNY8%23DHA.1036@TK2MSFTNGP10.phx.gbl...
> > Thanks for the reply. However being quite new to security I still don't
> > 'get' it.
> >
> > I want to store some data encrypted in an SQL Server database. So that
> only
> > my applications can get the real data (unencrypted). I am using the
> managed
> > Rijndael class to encrypt the data. My problem is how do I store the key
> > (and I suppose the IV, I am using the same for both) so that my .NET Form
> > applications (2) will be able to get the data but nobody else.
> >
> > If I use PasswordDeriveBytes as the article suggests, see the following
> > code, it seems to me that I know have the same problem except that instead
> > of securely storing my Rijndael key I know have to store my "strong
> > password" securely. What have I gained? I don't need absolute security.
> I
> > just want to make it quite difficult to use the data I am storing in SQL
> > Server. What am I missing? Are there some techniques where I can
> > 'actually' store the key or password in my .NET code but do so in a way
> that
> > disassemblers can not easily show the storage?
> > PasswordDeriveBytes deriver = new PasswordDeriveBytes("strong password",
> > null);
> >
> > byte[] ivZeros = new byte[8];//This is not actually used but is currently
> > required.
> >
> > //Derive key from the password
> >
> > byte[] pbeKey = deriver.CryptDeriveKey("TripleDES", "SHA1", 192, ivZeros);
> >
> > Thanks for any help you can provide...
> >
> > -dh
> >
> >
> >
> > "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
> > news:%23Fgxcwy%23DHA.2292@TK2MSFTNGP12.phx.gbl...
> > > "David Hoffer" <dhoffer.remove@xrite.remove.com> wrote in message
> > > news:OFWBx1x%23DHA.3220@TK2MSFTNGP10.phx.gbl...
> > > > Could you clarify this...I am new to security APIs.
> > > >
> > > > I thought it was common to encrypt private keys using an asymmetric
> > > > algorithm, i.e. public key encryption?
> > >
> > > It is common to encrypt a symmetric secret (session) key with an
> > asymmetric
> > > public key encryption (e.g. this is used in most S/MIME encryption
> > approaches).
> > >
> > > The op was asking about protection of the asymmetric (e.g. RSA/DSA)
> > private
> > > key itself.
> > > My first response showed the best way to let the OS protect it for you
> > (which really
> > > uses underlying symmetric key encryption based on user principal
> > credentials.
> > >
> > > For more portability, you can export your RSA public/private keypair and
> > encrypt
> > > it with a password derived symmetric key. In .NET you use
> > PasswordDeriveBytes
> > > class to generate cryptographically strong byte sequence for symmetric
> key
> > generation.
> > >
> > > Password derived symmetric keys basically just take the hash of the
> > password and
> > > the actual secret symmetric key is typically the first bytes of that
> hash
> > (more complicated
> > > procedure is 3DES is the derived key).
> > >
> > > See also the paragraph "Key Maintenance | Protecting Exported Private
> > Keys" here:
> > >
> >
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh07.asp
> > >
> > > - Michel Gallant
> > > MVP Security
> > > http://www.jensign.com
> > >
> > >
> > > > What do you mean by the "symmetric key is derived from some sort of a
> > > > passphrase"?
> > > >
> > > > -dh
> > > >
> > > > "Derek Slager" <derek@activate.net> wrote in message
> > > > news:pan.2004.01.22.18.58.12.535488@activate.net...
> > > > > On Thu, 22 Jan 2004 18:48:20 +0530, Prasad wrote:
> > > > >
> > > > > > Hi:
> > > > > >
> > > > > > While using asymmetric algorithm, which is best place to store
> > private
> > > > > > key in client system in client-server applications.
> > > > >
> > > > > A common technique is to encrypt private keys using a symmetric
> > algorithm.
> > > > > Typically the symmetric key is derived from some sort of a
> passphrase.
> > > > >
> > > > > -Derek
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: aTiRuZ: "Re: SignedXML, References and "Malformed reference element" error"
- In reply to: Alek Davis: "Re: Where to store private key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
