RE: AES Symmetric Key Secure Storage

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 07/23/05 

Date: Sat, 23 Jul 2005 08:23:01 -0700

Protecting the private key depends on how you use it. You cartainly CAN use
CAPI to protect any data by encrypting it with public key, decrypting with
private key - both stored in a CAPI container. The encrypted blob then can be
stored anywhere you want (file, Registry). Since you handle the AES key
yourself the key in this case is just 'data' from the point of CAPI. (so you
would use CryptEncrypt / CryptDecrypt under Windows 2000, not key export /
import) Also, I would strongly recommend generating your key with
CryptGenRandom as that's the best PRNG on the Windows platform. (If you
collect your own entropy you most probably would get much less security.)
Now if you use PER USER AES key than the best is to protect the key (ie.
encrypt it) with a key pair stored in the user's container. Windows protects
those with the user's credential. Alternatively, you can use the Encrypted
File System (ie. encrypted directory - assuming you use NTFS partitions.)
It is not as secure when you need to use the same key for multiple users -
as the MACHINE KEYSTORE is not really protected. Two possible solutions:
1. protect the AES key with a DERIVED symmetric key (when you derive the key
from a strong password). Under Windows 2000 you should use 3DES. (Note that
it would still be much less secure as it is unlikely you can come up with a
so strong password which has as much randomness / entrophy as your AES key or
the protecting 3DES key. Depending your password - or more probably,
pass-phrease - selection each character would add max 4 or 5 bits of
entrophy, so even in the ideal case you would need like more than 20-char
really random password. Naturally, nobody would be able to remember that.)
2. your other option is to protect the same AES key under EACH USER's
account. The problem with this is that it doesn't scale well and you still
have key management problem with each new user.

The ideal solution would be a HARDWARE security module which supports AES.
In the case the key is generated in the hw module, never leaves it (although
these allow backing up the key in a secure way) and all AES calculation would
be done in hw. (So you wouldn't even need your open source AES routine.) Most
hw vendors support CAPI so you can use AES (in CAPI) even under Windows 2000.
Obviously, this security comes at a price: it is more expensive than sw-only
solution.

Hope the explanation helps a bit...

Laszlo Elteto
SafeNet, Inc.

"Dinesh" wrote:

> Hello,
>
> I am doing some AES cryptographic development for my employer. Part of the
> requirements was to have a flexible solution, that can work in Windows
> NT/2000, as most of our customers have not yet upgraded to Windows 2003.
>
> This essentially ruled out using CryptoAPI, as there does not exist a CSP
> that uses Rijndael in WinNT/2000. So I implemented a Certified and Open
> Source version of the AES (Rijndael) in our libraries, which is working well.
> This Open Source version of the Rijndael algorithmn just takes a buffer of
> bytes for the key, to initialize it's context.
>
> Now, in the issue of key management. We want a secure location to store the
> symmetric key in the Windows platform. From what I've been reading, storing
> the symmetric key on file or in the registry is not recommended. I also
> cannot store the key in Certificate Services because (a) you need a CSP to
> generate a key in CryptoAPI, and a CSP for AES only exists in Win2003, (b) if
> I were to be able to create and store a key in a certificate store, I still
> don't have access to the raw bytes of the symmetric key from the CryptoAPI
> functions (using the HCRYPTKEY handle) for use to initialize the context for
> my Open Source AES implementation.
>
> Any recommendations for where to store a symmetric key on the Windows
> platform? Should I just encrypt the symmetric key with a private key and
> store the resulting encrypted buffer in the registry or on a file on disk? Or
> is there a way to access the raw bytes of a CryptoAPI key using some method?
>
> Thanks!

Relevant Pages

  • Re: AES with constant key
    ...  But if the message file you encrypt say with straight AES ECB mode ... And thats if AES is perfect which is not likely. ... to trick people into using weak crypto so that the big 3 letter ... My Compression codehttp://bijective.dogma.net/ ...
    (sci.crypt)
  • Re: Need secure block cipher for 96 bits of block size
    ... AES need 128 bits data blocks. ... If you need to send exactly 96 bits of ciphertext for 96 bits of plaintext ... Encrypt the first 64 bits of plaintext to give a first 64-bit block. ... To decrypt you first decrypt the second block, and append the last 32 bits ...
    (sci.crypt)
  • Re: Should I use gbde or geli?
    ... >We have been talking of AES all the time. ... rigorous examination by the crypto community and the open community ... we don't know what the NSA ... because it was designed to protect against differential crytanalysis - ...
    (FreeBSD-Security)
  • Re: encrypt data in registry
    ... because encrypting the data won't actually protect it from other ... I would like to encrypt some data in the registry. ... It's not ok for the user to have to type a password (at app startup) ...
    (microsoft.public.vc.mfc)
  • Re: GC and security
    ... Just what attack are you trying to protect against, ... comes back at end to encrypt and then app is done. ... getting rid of the need for a passphrase? ... There was some questions (from MySQL pro) about how MySQL writes would ...
    (comp.lang.python)