Re: Triple DES keys distribution

On May 10, 11:07 am, Valery Pryamikov <val...@xxxxxxxxx> wrote:
On May 7, 5:39 pm, mauricio.cad...@xxxxxxxxx wrote:

Hi
I'm developing an application that encrypts some data using the
TripleDESCryptoServiceProvider, I'm new in this topic and I don't know
what is the best and secure way to distribute the keys used by this
algorithm since If I left it hardcoded anyone can decompile the
assemblies and obtain it. Any sugestion?
Thanks

Hi,
The problem of keys distrubution is not kind of problem that could be
implemented or even understood by newbies. This is btw the main reason
for PKI, X509, Kerberos, SSL and you name it... any secure
communicataion channel/key distribution protocols. But at the end of
the day it always boils down to one simple thing: you always need some
secret key for decrypting other keys that supposed to be securely
distributed to you. And hardcoding this secret key is totally wrong
aproach! Not only because of decompilers ;). There are much easier
ways of finding any secret key that you have in your program for an
adversary that has sufficient local access: for example - simply dump
process memory and try any sequential memory block of the size of the
key. If you program is about 100 MB - this aproach will always find
your key in a matter of seconds (with the smaller programs it will be
even faster). And the key finder program is a trivial automatic thing
that doesn't even require any special programming skills ;)

-Valery.

Btw. If you recall recent break of HDDVD and Blue Ray keys, it was
done by a bit more complicated, but very similar aproach (dumping
process memory at the right time ;)

-Valery.

.

Relevant Pages

  • Re: Triple DES keys distribution
    ... what is the best and secure way to distribute the keys used by this ... And hardcoding this secret key is totally wrong ... process memory and try any sequential memory block of the size of the ... If you program is about 100 MB - this aproach will always find ...
    (microsoft.public.dotnet.security)
  • Re: Triple DES keys distribution
    ... what is the best and secure way to distribute the keys used by this ... process memory and try any sequential memory block of the size of the ... If you program is about 100 MB - this aproach will always find ... The last days I learned a lot about encryption solutions, ...
    (microsoft.public.dotnet.security)
  • Re: Clarification
    ... > I am trying to secure different files, mostly pdf, so only the person ... > am using sessions to secure the actual web pages, but now I am trying to ... $secretkey = "make up some secret key here"; ... if > $expire) ...
    (comp.lang.php)
  • Re: Simple encryption utility with USB key
    ... What do others think of Lexar's JumpDrive Secure? ... encryption, so the only real question is the extent to which they can ... guard the secret key. ... Everything on the secure partition is encrypted. ...
    (alt.computer.security)