none
Storing Asymmetric Keys from RSACryptoServiceProvider RRS feed

  • Question

  • I would like to know if anyone can tell me, or direct me to appropriate documentation, where the CspParamaters are physically stored, whether or not I have options (like machine or user account), and which of the options is best practice for developing a typical e-commerce site where the name and password of a payment services gateway should be encrypted.

    I have no problem creating and using symmetric keys and initialization vectors, or with creating and using RSA keys to encrypt and decrypt those values, or with storing the RSA keys in a container.  I am just not sure how much I don't know about the containers, frankly.  I have used and modified code I found in MSDN documentation.  It does not specify the physical location of the key store.  Is using defaults the best way to go?  What are the options?

    Here is simplified construct:

      Private Function CreateOrRetrieveRSAKey(ByVal myKeyContainerName As String) As RSAParameters
    
        Dim myCspParameters As New CspParameters()
        myCspParameters.KeyContainerName = myKeyContainerName
    
        Using myRSA As New RSACryptoServiceProvider(myCspParameters)
          Console.WriteLine("Key Created and Stored: " & myRSA.ToXmlString(True))
          Return myRSA.ExportParameters(True)
        End Using
    
      End Function
    
    
      Private Sub DeleteRSAKey(ByVal myKeyContainerName As String)
    
        Dim myCspParameters As New CspParameters()
        myCspParameters.KeyContainerName = myKeyContainerName
    
        Using myRSA As New RSACryptoServiceProvider(myCspParameters)
          myRSA.PersistKeyInCsp = False
        End Using
    
        myCspParameters.Flags = CspProviderFlags.UseExistingKey
    
        Try
          Using myRSA As New RSACryptoServiceProvider(myCspParameters)
            Console.WriteLine("Key deletion failed")
          End Using
        Catch ex As Exception
          Console.WriteLine("Key deleted successfully")
        End Try
    
      End Sub
    


    Jack
    Wednesday, April 27, 2011 9:36 PM

Answers

  • http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx -> This is a good article to start with for key containers.

     

    Key containers can be created in user's profile or machine's. User-level key containers can only be used by the user in which profile they've been created, and machine-level key containers can be used by anyone with access to them. Keys are usually in files, so NTFS permissions can be used to restrict access to users.

     

    Key containers can be found here by default:

     

    Ø  User containers:

     

    o   Vista and up:

     

    §  C:\Users\<user_name>\AppData\Roaming\Microsoft\Crypto\RSA

     

    o   Previous Windows:

     

    §  C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA

     

    Ø  Machine containers:

     

    o   Vista and up:

     

    §  C:\Users\All Users\Application Data\Microsoft\Crypto\RSA

     

    o   Previous Windows:

     

    §  C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA

     

    Alex's article http://blogs.msdn.com/b/alejacma/archive/2007/12/13/key-containers-basics.aspx lists all these facts.

     

    Please read http://blogs.msdn.com/b/alejacma/archive/2008/05/28/don-t-use-default-key-containers-if-possible.aspx to understand as to why Microsoft recommends that every application creates its own key container instead of the default one.


    --Trevor H.
    Send files to Hotmail.com: "MS_TREVORH"
    • Marked as answer by Jack Herr Wednesday, May 11, 2011 8:54 PM
    Tuesday, May 10, 2011 3:26 PM
    Moderator

All replies

  • Hi Jack,

     

    Thank you for your question, we're doing research on this case, it might take some time before we get back to you.


    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, April 28, 2011 2:42 AM
  • Thank you for your efforts on my behalf.

    May I trouble you with an additional question on this topic?

    I looked at using Rfc2898DeriveBytes to determine deterministically the key and IV values for AES encryptions and decryptions as an alternative to encrypting and storing the AES key using RSA.  It seems to me that RSA is the far better alternative from a security standpoint, but perhaps that is not the case.  Which is preferable?

    Secondly, how stable is the RSA key store, whichever answer turns up in your research?  Assuming that I code properly, can I rely on the RSA key store being a steady, reliable store for a going concern e-commerce business?  I will of course have a manual re-encryption program for security purposes, but it would be nice to have it become necessary only if I screw up!

    Thanks again.


    Jack
    Thursday, April 28, 2011 2:52 PM
  • http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx -> This is a good article to start with for key containers.

     

    Key containers can be created in user's profile or machine's. User-level key containers can only be used by the user in which profile they've been created, and machine-level key containers can be used by anyone with access to them. Keys are usually in files, so NTFS permissions can be used to restrict access to users.

     

    Key containers can be found here by default:

     

    Ø  User containers:

     

    o   Vista and up:

     

    §  C:\Users\<user_name>\AppData\Roaming\Microsoft\Crypto\RSA

     

    o   Previous Windows:

     

    §  C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA

     

    Ø  Machine containers:

     

    o   Vista and up:

     

    §  C:\Users\All Users\Application Data\Microsoft\Crypto\RSA

     

    o   Previous Windows:

     

    §  C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA

     

    Alex's article http://blogs.msdn.com/b/alejacma/archive/2007/12/13/key-containers-basics.aspx lists all these facts.

     

    Please read http://blogs.msdn.com/b/alejacma/archive/2008/05/28/don-t-use-default-key-containers-if-possible.aspx to understand as to why Microsoft recommends that every application creates its own key container instead of the default one.


    --Trevor H.
    Send files to Hotmail.com: "MS_TREVORH"
    • Marked as answer by Jack Herr Wednesday, May 11, 2011 8:54 PM
    Tuesday, May 10, 2011 3:26 PM
    Moderator