Re: Best Practice for storing TripleDES key and vector?

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 05/01/04

  • Next message: Michel Gallant: "Re: Best Practice for storing TripleDES key and vector?" 
    Date: Fri, 30 Apr 2004 17:24:49 -0700

    KNF,

    This approach is generally not recommended. Did you consider asking
    administrators to define the key (I mean the password from which the key
    will be derived) at application installation time and protecting it by
    DPAPI? I don't know how deployment policies and application support are
    defined in your organization, but under certain conditions (enterprise
    application, dedicated and trusted engineering support/admins), this could
    be a better option. Of course, if people handling the key (password) will
    start writing it on post-it notes, it would be terrible, but otherwise it
    would be better than keeping the key in the assembly. You can do something
    similar to what CipherSafe.NET tools does (check
    http://www.obviex.com/ciphersafe/; there is also good documentation, which
    addresses some interesting data security aspects, which can give you some
    ideas). By the way, initialization vector (IV) does not necessarily need to
    be protected. You can hard code it in the application.

    Alek

    "knf" <anonymous@discussions.microsoft.com> wrote in message
    news:E8A4E5FF-E280-48F0-B308-A155FD8E76D4@microsoft.com...
    > Thanks. There was a lot of good information in that article. After
    reading it, it looks like I am going to go the way of deriving a key in my
    source code and obfuscating the binary that has my encryption management
    code. Other options aren't viable since I have different users running apps
    and different machines and they all need the same key/vector. But I am no
    longer storing the plain bytes in the source code.

  • Next message: Michel Gallant: "Re: Best Practice for storing TripleDES key and vector?"

    Relevant Pages

    • Re: IP Protection of code block in Xilinx FPGA?
      ... > I have an FPGA design where the VHDL source code is a deliverable item ... > for protecting blocks of code in situations such as this, ... Most fun will be in looking in how to do the encryption for the various ...
      (comp.arch.fpga)
    • Re: Distributing closed source modules
      ... for almost all users, for most programs, getting the source code and being ... there really is no proprietary magic worth protecting. ... implemented in pure Python;-)). ... This is a response that is likely to turn people towards ...
      (comp.lang.python)
    • Re: WHY OH WHY?
      ... Shut up and run MS SMS and SUS for youre patching you lazy admin. ... > that the patch doesn't break something else is no fun. ... > these companies can find the buffer overruns w/o the source code before MS ... >>> responsibility for learning the basics of protecting their computers? ...
      (microsoft.public.security)
    • RE: Dotfuscator - major flaw in Microsoft dotNET?
      ... Yes, you are correct, .NET code can easily be dissasembled.. ... comes with a tool called ILDasm.. ... I think the real solution to protecting your code is ... > source code available to anyone. ...
      (microsoft.public.dotnet.general)
    • Re: WHY OH WHY?
      ... As someone who made sure over 250 servers were patched well before the worm ... was safe from DOS attacks from those who didn't patch, ... these companies can find the buffer overruns w/o the source code before MS ... >> responsibility for learning the basics of protecting their computers? ...
      (microsoft.public.security)