locked
Best practice for securely storing a symmetric key and initialization vector that must be consistent for all application installations RRS feed

  • Question

  • I've inherited a security problem, I'm not a security/cryptography guru, and have been fruitlessly looking for a best practices solution to the following.

    1 My .NET 4 application needs to be able to encrypt and decrypt files of a proprietary format.

    2 Previously the application was using DES as the encryption algorithm (bad) and embedding the key and the IV in the code itself (worse)

    3) The encrypted files that are generated must be readable (decrypt-able) by any valid installation of the product on any machine. In other words if there are X installations of the product in a company, if user A creates an encrypted version of the file, user B should be able to use (decrypt) the file using our application. Thus, the key has to be the same for any given installation.

    Seems like the encryption algorithm issue is fairly straightforward -- AES seems to be the symmetric algorithm of choice these days.

    However, that still leaves how for me to get the hardcoding of the key and the IV out of the application code and into some secure location that our installation program would do. Putting it in the registry seems pretty unsafe to me (no matter where it's put... in HKLM, HKCR, etc). I've seen stuff talking about key stores or certificate stores, but have yet to see an example pertain to my use case where the key must be constant (i.e. cannot be varied because of the requirement that a file encrypted in one installation must be readable by another installation of our product on another installation). Granted in theory, the security story would be better if the file were only readable by the user (or installation) that originally encrypted it, but that's a no-go solution for me at this point.

    So what are my options here? Is there a machine store that an installation program can put a key and an IV string in, and then have my code retrieve these keys on-demand when it needs to encrypt or decrypt something? I want to follow best practices as much as my application requirements will allow (not to mention learn something in the process)!

    Friday, April 8, 2011 10:43 PM

All replies

  • Hi,

    From a security perspective I don't think there is such a thing as 'Best practices for Security through Obscurity'. Unfortunately based on the description of your requirements it appears that you need to distribute both the key and the encrypted content with the application. The weakness is in the architecture. I personally don't think it makes a difference whether you choose a registry key or the certificate store with these types of requirements. 

    Best Wishes,

    -David Delaune

    Monday, April 11, 2011 4:38 AM
  • In our case, we're using encryption mainly to keep our users from tampering with configuration documents, not so much really to "keep secrets" per se. An old product we had used .INI format so of course users got used to being able to open and tweak them... with sometimes unexpected results and headaches for system admins... hence the option to encrypt those and make sure the users can't modify them via an editor outside our application.

    Yeah, we'd need to distribute the key/IV at install time. The content may be distributed or not... depending on how much functionality an admin gives the users in terms of creating new documents. Some sites do allow the user to create documents but only to save them in encrypted form (as opposed to clear text/xml etc).

    Assuming I did want to use a key or certificate store (this being a symmetric key and initialization vector), how would I go about doing this (or perhaps more accurately, what would my install have to do)? Seen a couple examples of asymmetric, but not my specific use case... and is a certificate store ok for storing just a key and/or IV?

    I figure that's got to be better than hardcoding them in the application like what I've inherited!

    Monday, April 11, 2011 6:08 PM
  • Assuming I did want to use a key or certificate store (this being a symmetric key and initialization vector), how would I go about doing this (or perhaps more accurately, what would my install have to do)? Seen a couple examples of asymmetric, but not my specific use case... and is a certificate store ok for storing just a key and/or IV?

    If you you wanted to use the certificate store... Your install would need to obviously need to add the certificate to one of the available stores or perhaps a custom store. The IV would probably need to be either hard coded into your application or perhaps obfuscated within a registry key. This MSDN article seems to cover many of the basics for .NET 4:

    EncryptTo/DecryptTo: Encryption in .NET with CryptoAPI Certificate Stores

    Unfortunately I am primarily a C++/ASM software engineer so I cannot give you a .NET sample for adding a certificate to the store using a .NET language. However I'm sure its probably 4-5 lines of code.  :P

    Best Wishes,

    -David Delaune

    Wednesday, April 13, 2011 3:51 AM
  • Eric -

    I think you are on the right tack in considering something that employs x509 certificates.  You would use that certificate to help you encrypt and decrypt the Symmetric Key.  You can then store that encrypted-key anywhere you want -- to some file or DB for example. 

    Include the x509's PFX in your deployment, and install it to the proper store (Current User /Personal if you are a UI application that always has the same user, Local Computer / Personal otherwise). You can create the certificate yourself with the MS MAKECERT tool, or purchase something for a 3rd party like VeriSign or GoDaddy. 

    Use the certificate's Public Key to encrypt the symmetric-key, and the certificate's Private Key to decrypt the Symmetric Key. 

    The example at the bottom of article might be helpful:  :  http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx


    Regards, Howard Hoffman
    Tuesday, May 10, 2011 12:46 PM