Re: Best Practice for storing TripleDES key and vector?

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 05/01/04

  • Next message: Michel Gallant: "Re: Best Practice for storing TripleDES key and vector?"
    Date: Fri, 30 Apr 2004 17:24:49 -0700
    
    

    KNF,

    This approach is generally not recommended. Did you consider asking
    administrators to define the key (I mean the password from which the key
    will be derived) at application installation time and protecting it by
    DPAPI? I don't know how deployment policies and application support are
    defined in your organization, but under certain conditions (enterprise
    application, dedicated and trusted engineering support/admins), this could
    be a better option. Of course, if people handling the key (password) will
    start writing it on post-it notes, it would be terrible, but otherwise it
    would be better than keeping the key in the assembly. You can do something
    similar to what CipherSafe.NET tools does (check
    http://www.obviex.com/ciphersafe/; there is also good documentation, which
    addresses some interesting data security aspects, which can give you some
    ideas). By the way, initialization vector (IV) does not necessarily need to
    be protected. You can hard code it in the application.

    Alek

    "knf" <anonymous@discussions.microsoft.com> wrote in message
    news:E8A4E5FF-E280-48F0-B308-A155FD8E76D4@microsoft.com...
    > Thanks. There was a lot of good information in that article. After
    reading it, it looks like I am going to go the way of deriving a key in my
    source code and obfuscating the binary that has my encryption management
    code. Other options aren't viable since I have different users running apps
    and different machines and they all need the same key/vector. But I am no
    longer storing the plain bytes in the source code.


  • Next message: Michel Gallant: "Re: Best Practice for storing TripleDES key and vector?"