Re: Best Practice for storing TripleDES key and vector?
From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: Fri, 30 Apr 2004 17:24:49 -0700
This approach is generally not recommended. Did you consider asking
administrators to define the key (I mean the password from which the key
will be derived) at application installation time and protecting it by
DPAPI? I don't know how deployment policies and application support are
defined in your organization, but under certain conditions (enterprise
application, dedicated and trusted engineering support/admins), this could
be a better option. Of course, if people handling the key (password) will
start writing it on post-it notes, it would be terrible, but otherwise it
would be better than keeping the key in the assembly. You can do something
similar to what CipherSafe.NET tools does (check
http://www.obviex.com/ciphersafe/; there is also good documentation, which
addresses some interesting data security aspects, which can give you some
ideas). By the way, initialization vector (IV) does not necessarily need to
be protected. You can hard code it in the application.
"knf" <firstname.lastname@example.org> wrote in message
> Thanks. There was a lot of good information in that article. After
reading it, it looks like I am going to go the way of deriving a key in my
source code and obfuscating the binary that has my encryption management
code. Other options aren't viable since I have different users running apps
and different machines and they all need the same key/vector. But I am no
longer storing the plain bytes in the source code.