All geek questions in one place

Create keys without writing them to disk?

Preamble

I dug deep into .Net x509certificate2 and x509certificate noted that both certificate classes lock the private key to disk by default due to the verified use of Persist - Change the parameters in the class constructors x509certificate2 and x509ertertate, using the default parameter set for CspProviderFlags, which does not include CspProviderFlags.CreateEphemeralKey. This can be checked through any number of websites that show the source for .Net, as well as with a copy of the solution, if you decide to do it yourself.

Looking further, in reality, these .Net objects just seem to be wrapped for the old-style crypto context of crypto32.dll. My concern is that, looking at the code deeper, I found that it is explicitly looking in the file storage on disk for public and private keys in the getters and setters for the PublicKey field on x509certificate2 and x509 objects. Despite the fact that otherwise I expected that they would only exist in memory. Based on this knowledge, it seems that I keep my private key in this store, even if I do not want it, because the constructor does not allow you to change this parameter and disable it based on the list of constructors that I see when I look at the documentation; Therefore, if you install () or get () from the PrivateKey field, it really just collects it from this file vault behind the scenes.

Reason for my question

I think that forcing my private key to leak to the file system - even temporarily - is a huge security issue, so I don't want to do this. I also do not trust the certificate store. Even if you do not agree with me, I personally think that forcing serializing my private key to disk, even if I do not intend to do this, is a huge security problem, so I do not want to do this.

purpose

My current goal is to simply create my own X509 RSA public and private keys in C # that can be used on Windows without requiring them to be written to the hard drive as part of the creation process, and I am not finding many valid parameters, since all of those which I can find seem to have either hidden gaps or well-known problems.

, , , , , , , ; .. , , .

TL;DR;

: Windows #, 509, , . X509Certificates Windows, .

,

  • .Net-, , , , - . CSP, , , .
  • Bouncy Castle , . .net, .Net, , BC, .
  • p-invoke crypto32.dll, , , , , , . , , , , .
  • , , . Qaru , BC ; .

X509 - , , :

  • makecert.exe , , ; , . , , , , , .
  • #/.NET x509certificate2 x509 , ; , , , , , , . ; , .
  • , Bouncy Castle, , , ; , , , , " ", API System.Security.Cryptography, , . , , , .
+4
2

( ) , , . , , , .

crypt32 DPAPI ( , / PFX) . , , " -"; , .

+1

, / API, , .Net..Net - RAD, , , .

C .

0

Source: https://habr.com/ru/post/1543507/

More articles:


All Articles