Re: Hardcoding RijndaelManaged Keys

From: Michael Giagnocavo [MVP] (mggUNSPAM_at_Atrevido.net)
Date: 03/16/04

  • Next message: Kaare Langedrag: "What is best practice for file authorization in an ASP.NET application?" 
    Date: Tue, 16 Mar 2004 00:41:22 -0500

    In addition to Shawn's info, I'd suggest looking into Web Service
    Enhancements (WSE), since they can make securing web services much easier.
    You can download it (free) from MSDN. There's also a VS.NET addon for WSE
    so you can set project settings using a GUI.

    -mike
    MVP

    "moondaddy" <moondaddy@nospam.com> wrote in message
    news:uPLs7H6BEHA.3848@TK2MSFTNGP11.phx.gbl...
    > I have a vb.net WinForms app using web services which needs to send secure
    > data back and forth to the server. This app will not be widely used and
    > only a few people will have access to it.
    >
    > I was wanting to hardcode the private and public keys on both sides so I
    > wouldn't have to be sending any keys across the wire. I generate the keys
    > like this:
    >
    > Dim myRijndael As New RijndaelManaged
    > myRijndael.GenerateKey()
    > myRijndael.GenerateIV()
    > 'Get the key and IV.
    > key = myRijndael.Key
    > IV = myRijndael.IV
    >
    > Does the Key and IV have to be generated each time data is encrypted, or
    can
    > I simply generate them once, write them to an output, and then hardcode
    them
    > into variables on both the server and the client app. If this isn't
    > possible or is really wrong, then is there another wait to achieve this
    like
    > using some sort of certificate signature on both sides?
    >
    > Obviously I'm new at this and need some guidance. If I don't do it the
    way
    > explained above, then it seems that in order to send some secure data from
    > the client to the server, the client needs to first request a public key
    > from the server, then encrypt the data using this public key and send the
    > encrypted data to the server which results in 2 round trips and also
    passing
    > a key around. If the key were intercepted, then a 'hacker' could use this
    > key to encrypt his own parameters or data and send that to the server
    which
    > the server could then decrypt and posibly use such as inserting a new user
    > and password which they could then use to hack access into the app.
    >
    > Thanks.
    >
    > --
    > moondaddy@nospam.com
    >
    >

  • Next message: Kaare Langedrag: "What is best practice for file authorization in an ASP.NET application?"

    Relevant Pages

    • Re: ASP.NET application alone cant do it!!! Right???
      ... execute the app without going to the web? ... work with your intentions of charging a subscription fee. ... function on the server to notify ... Web Services provides the quickest and easiest way to ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Session State across ASP.NET apps
      ... we are already using a central state server for all web ... so I knew about the encrypt decrypt thing for that. ... I'm just talking about sharing the session between apps. ... You can then grab the vars in the other app. ...
      (microsoft.public.dotnet.framework.aspnet)
    • RE: error using getfile() in Windows application
      ... Are you using the web services or the OM? ... > i am trying to programatically access doc library files in a windows app. ... if i try to fetch files using GetFilefrom a remote server and ...
      (microsoft.public.sharepoint.portalserver.development)
    • Re: Questions about Asynchronous Use of Webservice
      ... Remember - web services are basically http calls and the way ... What happens if I never call EndXXX? ... > but I never call EndXXX will there be server resources consumed (and ... > BeginXXX when closing the app then deserialize it next time the app opens ...
      (microsoft.public.dotnet.framework.webservices)
    • Hardcoding RijndaelManaged Keys
      ... I have a vb.net WinForms app using web services which needs to send secure ... into variables on both the server and the client app. ... then encrypt the data using this public key and send the ...
      (microsoft.public.dotnet.security)