locked
How to keep the Encryption Keys securely RRS feed

  • Question

  • Hi all,

    In my C# application, I am storing a key that is used for encryption. I feel this is not the right way to do becase someone can use the Dotnet reflector tools (even ILDASM) and get the key. So could you please help me out by suggesting how can I store the keys securely.

    Friday, July 30, 2010 4:14 AM

Answers

  • Hello K.Ravinder Reddy,

    When I require, I found some thing liks this...

    May be it helps u...

    One standard approach in the app world is to split the key and put it in different places. E.g., you might split the key and put part of it in the filesystem (outside of the 'webapps' directory), part of it in the JNDI configuration (or .net equivalent), and part of it in the database. Getting any single piece isn't particularly hard if you're compromised, e.g., examining backup media or SQL injection, but getting all of the pieces will require a lot more work.

    You can split a key by XOR-ing it with random numbers of the same size. (Use a cryptographically strong random number generator!) You can repeat this process several times if you want to split the key into multiple pieces. At the end of the process you want, e.g., three partial keys such that p1 ^ p2 ^ p3 = key. You might need to base64-encode some of the partial keys so they can be stored properly, e.g., in a JNDI property.

    Finally, whatever you do be sure you can 'rekey' your application fairly easily. One approach is to use the password obtained above to decrypt another file that contains the actual encryption key. This makes it easy to change the password if you think it's been compromised without requiring a massive reencryption of all of the data - just reencrypt your actual key.

    If anything unclear feel free to ask me... :)

    Thanks,

    Nans11

    • Marked as answer by Alan_chen Friday, August 6, 2010 2:11 AM
    Friday, July 30, 2010 5:07 AM

All replies

  • Hello K.Ravinder Reddy,

    When I require, I found some thing liks this...

    May be it helps u...

    One standard approach in the app world is to split the key and put it in different places. E.g., you might split the key and put part of it in the filesystem (outside of the 'webapps' directory), part of it in the JNDI configuration (or .net equivalent), and part of it in the database. Getting any single piece isn't particularly hard if you're compromised, e.g., examining backup media or SQL injection, but getting all of the pieces will require a lot more work.

    You can split a key by XOR-ing it with random numbers of the same size. (Use a cryptographically strong random number generator!) You can repeat this process several times if you want to split the key into multiple pieces. At the end of the process you want, e.g., three partial keys such that p1 ^ p2 ^ p3 = key. You might need to base64-encode some of the partial keys so they can be stored properly, e.g., in a JNDI property.

    Finally, whatever you do be sure you can 'rekey' your application fairly easily. One approach is to use the password obtained above to decrypt another file that contains the actual encryption key. This makes it easy to change the password if you think it's been compromised without requiring a massive reencryption of all of the data - just reencrypt your actual key.

    If anything unclear feel free to ask me... :)

    Thanks,

    Nans11

    • Marked as answer by Alan_chen Friday, August 6, 2010 2:11 AM
    Friday, July 30, 2010 5:07 AM
  • hi,

    maybe read something about code obfuscating. it gives you more secure code (output libraries, exes,...). i cannot recolect how about obfuscated string (i assume you store your key in some string like const string, app.config, etc.)


    BR, Karol mark as answer if it helped you
    Friday, July 30, 2010 7:47 AM
  • Obfuscating your code in a great option or you can make in a resource file and get it from GetObject for the resource. You can split it apart put in different locations as was already mentioned. I know it sucks that .NET can be read by Reflector but for the most part most common users are not going to understand your code or the numerous class, struct, enum... If someone really wants to hack no matter what libraries, then it will be done even with obfuscatating (it will just take longer).
    Friday, July 30, 2010 6:36 PM
  • If the applications used to encrypt and decrypt are different, I would suggest you to use an asymmetrical algorithm like RSA, so each app has one part of the key pair
    Zaiden http://zPod.com.ar
    Friday, July 30, 2010 7:08 PM
  • Hi, Im woking in an application where i need to use and encryption key. Right now that key is stored in a database exclusively for the key and its initialization vector, and the database has the transparent data encryption service on, and the key and initialization vector are also encrypted before been stored in the database. I was reading what you wrote, and I am would like also apply this approach.

    I am using visual studio 2010 to develop my application, and I have been trying to find the way of splitting the key, but I do not find the way to do it, could you give more detail about this process? Did you perform this process before in Visual Studio? Do you have some code example about it ?

    I will appreciate your answers.

    Jorge Reyes

    Wednesday, March 6, 2013 5:40 AM
  • Hi Jorge Reyes Cruz,

    Really saying splitting the keys is very much critical issues ...mostly devlopers use something different mechanism(i.e. XORing, 3 time encrytion, simple mapping table) and most important they put it as a secret. So, they can minimize the risk of hacking. There is no particular standards for it.

    Please see the below link...it will give very good information and basics for secret splitting.

    http://users.telenet.be/d.rijmenants/en/secretsplitting.htm

    may be it helps you.
    If anything is unclear feel free to ask me... :)

    Thanks,
    Nans11


    ENjoy ThE WorLD Of COdE

    Wednesday, March 6, 2013 9:23 AM