Best IT Recipes

Best way to store encryption keys in .NET C #

In our application, we have many configurable settings that we store in an xml file that is again encrypted.

This protected file must be decrypted at run time and the configuration values ​​read. but there is a problem that the key and the initialization vector are hardcoded in the code, and therefore anyone can read it using the Reflector.

What is the best way to store encryption keys in .NET, so no one can read them using Reflector?

+49
security c # encryption
Feb 11 2018-11-11T00:
source share
7 answers

If you want to protect your data from other users. Take a look at the ProtectedData class.

(Disclaimer: data protection to create a copy protection scheme is not covered in this answer).

This class uses DPAPI from Windows to encrypt and decrypt data at the user or computer level.

Using ProtectedData / DPAPI frees you from key processing and data security. And you can protect the data for the current user. Data can be read from different computers by the same domain users.

If you want to create your own key. You can create a key for each user / machine and save this key in the registry. Since the registry can be protected, only the current user can read the key back. I know that registry karma is bad, but it actually stores data like this very well.

PS: Do not put IV in your code. Create a new IV every time and put it in front of the data.

+16
Feb 11 '11 at 9:30
source share

If you cannot read them in the reflector, how do you expect the program to read them? You could confuse them by breaking them down and keeping details everywhere, but (AFAIK), as soon as you need your program to read them, then anyone with access to your code can read them too.

Remember that in-memory values ​​are also available (cough SecureString).

+8
Feb 11 2018-11-11T00:
source share

You should use Machine Keystore, a secure repository specifically for this purpose. For example:

CspParameters cspParams = new CspParameters(PROV_RSA_FULL, null, KEYNAME); cspParams.Flags = CspProviderFlags.UseMachineKeyStore; RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);

Where KEYNAME is a custom string that can be used to retrieve the key later.

For more examples, see this question: How to store a public key in an RSA key container at the machine level

+7
Jul 12 2018-12-12T00:
source share

Typically, a new key and IV should be created for each session, and neither the key nor IV should be stored for use in a later session.

To transfer the symmetric key and IV to the remote side, you usually encrypt the symmetric key and IV using asymmetric encryption. Sending these values ​​to an untrusted network without encrypting them is extremely insecure, since anyone who intercepts these values ​​can then decrypt your data. For more information about this process of encrypting and transmitting the key and IV, see Creating a Cryptographic Scheme .

+4
Feb 11 2018-11-11T00:
source share

When installing the application, create a new RSA key set, then encrypt the data using AES using the private key as a password. Since Windows stores RSA secret keys on the PC that created them, the data can only be decrypted on the computer that created the data, because only that computer will have the necessary key.

+3
Aug 19 '14 at 17:37
source share

How about saving the encryption / decryption key of the file on the remote server, receiving it, although the web service that will transmit it, although https to the application? Thus, the key remains in the computer's memory, but is not in the source code file.

This requires a connection to the key server for those who launch the application.

+1
Aug 22
source share

How about storing a key on hardware, here I am talking about hardware security modules! Can we use it as the best methods to hide the key? Can we save the key in the configuration file and then encrypt the configuration file? In my case, I'm talking about a standalone .Net application.

0
Jul 07 '17 at 13:10
source share


More articles:


All Articles