none
Secure working with key's RRS feed

  • Question

  • Good day everyone,
    I am currently working on a application that is using an RSA encryption/decryption implementation.
    I use the RSACryptoServiceProvider. Now my only problem is that i don't know how secure my private key on the system is.
    As you may know you can initialize your RSA implementation with a few parameters (CspParameters). But as you may also know is that you can disassemble your .net applications. If you do this you are able to see how i initialize my RSACryptoServiceProvider. Now you can get the private key of the system. But i don't want this to be possible.
    I want to encrypt en decrypt data using a key and the user must not be able to see the key. I know full disclosure issn't possible but how can i make this as difficult as possible?

    Thanks in advance.
    Monday, March 9, 2009 2:37 PM

Answers

  • If your application needs to decrypt data therefor needs to have the key available someone with enough time and determination will always find it.  So the question them becomes how much do you care? how many people will use your application how many of those are skilled enough to see an RSA key when they see one? If they are clever enough to go look for your RSA keys and are able to extract it from your application whatever hiding scheme you put on top of that they'll most likely figure out in the next 5 minutes as well.

    That said you could add a layer of complexity by running your code though an obfuscator either the free one that comes with vs.net or one of the commercial protections available on the market.

    • Marked as answer by Zhi-Xin Ye Thursday, March 12, 2009 9:30 AM
    Monday, March 9, 2009 4:18 PM