Re: Encryption Scenerio
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 22 Jul 2006 14:54:08 -0500
The first scenario sounds taylor made for SSL. Is the main goal to protect
the data on the network? If so, that's the best thing to use. Creating
your own key exchange process is very difficult to get right and SSL already
does this for you in a well known, well tested way.
For the second scenario, using DPAPI is probably the best way to go. It
depends a bit on the nature of the data though too. If you are concerned
that a problem with the machine might cause a loss of the DPAPI-protected
key and thus a loss of the data, you might consider doing something like
PKCS7 Enveloped Data, using a certificate that the local user has and a
certificate owned by the system. That way, you have a centralized key that
can be used to recover the data. If you have a key recovery strategy for
the client certificate issued to the user, then this piece might not be
needed.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Erdem KEMER" <erdemkemer@xxxxxxxxx> wrote in message
news:OfXgKfZrGHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
hi everyone,
i do not have much experience about encryption. So sorry if my question
is a little silly.
i have problems about storing KEYS that are used in encryption. i could
not decide where should i store my keys or how should i store them.
We have this scenario in our Project:
We are developing project with server / client architecture. Server
should send data to client with encryption. But the thing is users have
no idea about 'what the key is' so users also shouldn't see keys in
order not to get it stolen or anything else.
The First scenario i thought was : server could encrypt data using
symmetric encryption. Then server also encrypts symmetric key with
asymmetric encryption (with Private Key). Then when user gets data first
it will decrypt key with public key and then decrypt data with the key
that is just got from first decryption.
Everything seems OK but thing is user has Public key. So he/she can get
it stolen. I wanted to make public key inaccessible to user. I should
store it somewhere that only client program can access it when needed.
I thought, i can use DPAPI to store key but this is quite not possible.
Because DPAPI uses user credentials, and this does not match our needs.
(Different windows users may log on to client program using same account
that we gave them.)
So is there any way to solve this problem ?
My second question is connected to first question. Client will store
some sensitive data at his local. This data should be stored encrypted.
Again we are having KEY STORAGE problem. Where should i store KEY ?
Scenario is this:
Client should Generate a Key;
This Key will be used for data encryption;
Key should be stored safely so as other people cant access it (including
Client user.)
Is the only way is to use DPAPI ?
(sorry for my english)
Thanks in advance
Erdem KEMER
.
- References:
- Encryption Scenerio
- From: Erdem KEMER
- Encryption Scenerio
- Prev by Date: Re: Prevent others from using my class libraries
- Next by Date: Re: Form authentication and files that shouldn'y be authenticated
- Previous by thread: Encryption Scenerio
- Next by thread: Code Access Security Policy - Error trying to "increase assembly trust"
- Index(es):
Relevant Pages
|
