Best way to secure TripleDES keys RRS feed

  • Question

  • Hi there, what is the preferred method to secure a TripleDES key?  Mainly, I want to prevent people from being able to decompile the assembly and see the key used.

    Wednesday, October 29, 2008 8:09 PM

All replies

  • The best way is to not store the key in the code. Store it offsite on a server that is on a protected submit or in the registry of the local machine and protect the registry key with an appropriate ACL.
    Thursday, November 13, 2008 4:56 PM
  • The simple truth is that if users are able to use the key while your code is running, then an evil user can get access to the key, either by disassembling, or with a dissasembler and debugger. The only thing you can do is make getting access to the key slightly more difficult. There's no way I can think of to protect a key in code that wouldn't take an evil user with reasonable skills far less time to crack than it took you write the code to protected it. You can obfuscate; but obfuscation is invariably easy to defeat. Encryption protection falls on the weakest link. And obfuscation is not ecryption.

    Chances are pretty good that if you're using a 3des key in code, that you're not doing it right. I would guess that you need either a public key/private key pair, or a public key/private key hashing system. For user-specific secrets, used the ProtectedData class. For user-specific secrets that are sent to your website, Unprotect the secret stored in the users's computer, with ProtectedData, and then encrypt it with the public key that matches a private key that only you know.
    Friday, November 14, 2008 1:29 PM