Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Best Practice for storing keys

Reply
Thread Tools

Best Practice for storing keys

 
 
tshad
Guest
Posts: n/a
 
      01-03-2007
I am trying to find the best procedure for storing keys used for encryption.

This would also be a question for the connection string to the database. At
the moment, this is kept in the web.info file.

This seems to be norm from all the books on building your Web Apps. Isn't
this a problem as the web.info is cleartext? I would suppose that having
keys (which you would to store/encrypt and get/decrypt from your database)
in this manner would be dangerous.

I am trying to find out how others deal with this. Also, I would need the
same information for my Apps on the same machine.

Thanks,

Tom


 
Reply With Quote
 
 
 
 
Han
Guest
Posts: n/a
 
      01-03-2007
Hello

Sounds like RSA encription.

http://msdn2.microsoft.com/en-us/library/2w117ede.aspx

Note there is one mistake in the example.

<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurati onProvider,
System.Configuration, Version=2.0. 0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="MyKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>

2.0. 0.0 should be 2.0.0.0.

If you are successful encripting some part of your configuration, the key is
secured with NTFS Access Control Lists. Good luck.

"tshad" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I am trying to find the best procedure for storing keys used for
>encryption.
>
> This would also be a question for the connection string to the database.
> At
> the moment, this is kept in the web.info file.
>
> This seems to be norm from all the books on building your Web Apps. Isn't
> this a problem as the web.info is cleartext? I would suppose that having
> keys (which you would to store/encrypt and get/decrypt from your database)
> in this manner would be dangerous.
>
> I am trying to find out how others deal with this. Also, I would need the
> same information for my Apps on the same machine.
>
> Thanks,
>
> Tom
>
>



 
Reply With Quote
 
 
 
 
Mark Rae
Guest
Posts: n/a
 
      01-03-2007
"tshad" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...

>I am trying to find the best procedure for storing keys used for
>encryption.


Generally speaking, don't store them at all - devise a mechanism for
generating the same key whenever you need it...
http://msdn.microsoft.com/msdnmag/is...efault.aspx#S9

> This seems to be norm from all the books on building your Web Apps. Isn't
> this a problem as the web.info is cleartext? I would suppose that having
> keys (which you would to store/encrypt and get/decrypt from your database)
> in this manner would be dangerous.


I think there's a lot of FUD (fear, uncertainty and doubt) surrounding
this...

Firstly, ask yourself who are you hiding this key from...? Your
colleagues...? Your boss...? The office cleaner...? If you are worried about
whether your fellow employees are trustworthy or not, then you have a much
bigger problem then key encryption...

Secondly, is your website's security so lax that your web.config is visible
to the outside world...? Again, if that is the case, then you have a much
more fundamental problem than key encryption...

Are you perhaps worried about "professional" hackers...? Again, if a hacker
is clever enough to bypass all your security protection and is able to gain
access to your webserver, it probably won't matter much whether your key is
encrypted or not - they'll crack it...

> I am trying to find out how others deal with this. Also, I would need the
> same information for my Apps on the same machine.


I have an encryption base class which does TripleDES encrpytion. It has two
methods: Encrypt() and Decrypt(). This class, like all my other base
classes, is shared across all projects and clients.

I also have a key generation class which has one method: GenerateKey(). This
generates the key required for the symmetric encryption, and is different
for every client - sometimes different on a project by project basis for the
same client, if that's what they want.

In this way the actual key is not "stored" anywhere. You might say that the
key could be found by disassembly - or, at least, the mechanism for
generating the key could be found by disassenbly - but I take the view that
if a hacker is determined enough to have disassembled my code, they would
have found the key soon enough anyway...

There has to come a point where it's "secure enough", otherwise you'll never
get anything done...

E.g. can you decrypt this:

HgyxhIIBwBb7zY7GBH4xlQ==

?


 
Reply With Quote
 
tshad
Guest
Posts: n/a
 
      01-03-2007
"Mark Rae" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "tshad" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>
>>I am trying to find the best procedure for storing keys used for
>>encryption.

>
> Generally speaking, don't store them at all - devise a mechanism for
> generating the same key whenever you need it...
> http://msdn.microsoft.com/msdnmag/is...efault.aspx#S9
>
>> This seems to be norm from all the books on building your Web Apps.
>> Isn't
>> this a problem as the web.info is cleartext? I would suppose that having
>> keys (which you would to store/encrypt and get/decrypt from your
>> database)
>> in this manner would be dangerous.

>
> I think there's a lot of FUD (fear, uncertainty and doubt) surrounding
> this...


Yes.

But if you store information such as Credit Card or Social Security
information - you want that.
>
> Firstly, ask yourself who are you hiding this key from...? Your
> colleagues...? Your boss...? The office cleaner...?


Yes.

>If you are worried about whether your fellow employees are trustworthy or
>not, then you have a much bigger problem then key encryption...
>
> Secondly, is your website's security so lax that your web.config is
> visible to the outside world...? Again, if that is the case, then you have
> a much more fundamental problem than key encryption...


Even if your security is good - people do get in. Ours is pretty secure but
as you mention below the Professional Hackers may find a way in.
>
> Are you perhaps worried about "professional" hackers...? Again, if a
> hacker is clever enough to bypass all your security protection and is able
> to gain access to your webserver, it probably won't matter much whether
> your key is encrypted or not - they'll crack it...
>
>> I am trying to find out how others deal with this. Also, I would need
>> the
>> same information for my Apps on the same machine.

>
> I have an encryption base class which does TripleDES encrpytion. It has
> two methods: Encrypt() and Decrypt(). This class, like all my other base
> classes, is shared across all projects and clients.
>

This is what I do.

> I also have a key generation class which has one method: GenerateKey().
> This generates the key required for the symmetric encryption, and is
> different for every client - sometimes different on a project by project
> basis for the same client, if that's what they want.
>

At the moment, I am creating one key for all clients. Just a random set of
letters, numbers and special characters. This is passed to both the Encrypt
and Decrypt functions.

I would only be Generating the Key once (or else I would never be able to
decrypt the data). You would have to store something somewhere for the
program to use it (either the data to Generate the Key from or the Key
itself).

> In this way the actual key is not "stored" anywhere. You might say that
> the key could be found by disassembly - or, at least, the mechanism for
> generating the key could be found by disassenbly - but I take the view
> that if a hacker is determined enough to have disassembled my code, they
> would have found the key soon enough anyway...
>
> There has to come a point where it's "secure enough", otherwise you'll
> never get anything done...


I agree here.

I just want to find a pretty reasonable solution.

Thanks,

Tom
>
> E.g. can you decrypt this:
>
> HgyxhIIBwBb7zY7GBH4xlQ==
>
> ?
>



 
Reply With Quote
 
Mark Rae
Guest
Posts: n/a
 
      01-03-2007
"tshad" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Even if your security is good - people do get in. Ours is pretty secure
> but as you mention below the Professional Hackers may find a way in.


And you will never eliminate that threat 100%...

> I would only be Generating the Key once (or else I would never be able to
> decrypt the data). You would have to store something somewhere for the
> program to use it (either the data to Generate the Key from or the Key
> itself).


NO! And that's the whole point! You don't "store" anything anywhere - you
just devise a routine / algorithm / whatever which always generates the same
key...

>> There has to come a point where it's "secure enough", otherwise you'll
>> never get anything done...

>
> I agree here.
>
> I just want to find a pretty reasonable solution.


Well, there's an argument which says that there comes a point where your
data is *so* sensitive that access to it over the (public) Internet is
always going to be the wrong solution, irrespective of the technology you
use... That's why e.g. hashes are salted, otherwise I could simply steal
your database, get myself a copy of the Oxford English and use every word in
it as the key until I found a match in your encrypted data. You might think
that's an extreme example (and you'd be right!), but with the power of
computers these days, that might be only a few hours' work...


 
Reply With Quote
 
tshad
Guest
Posts: n/a
 
      01-03-2007
"Mark Rae" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "tshad" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Even if your security is good - people do get in. Ours is pretty secure
>> but as you mention below the Professional Hackers may find a way in.

>
> And you will never eliminate that threat 100%...


I'm not trying to do that. Just don't want to do something simple like
base64
>
>> I would only be Generating the Key once (or else I would never be able to
>> decrypt the data). You would have to store something somewhere for the
>> program to use it (either the data to Generate the Key from or the Key
>> itself).

>
> NO! And that's the whole point! You don't "store" anything anywhere - you
> just devise a routine / algorithm / whatever which always generates the
> same key...
>

But then what are you using to Generate the Key? It needs to come from
somewhere, doesn't it? You need to use the same key to decrypt the data.
In your GenerateKey() don't you pass it something? That would have to be
stored somewhere.

Tom

>>> There has to come a point where it's "secure enough", otherwise you'll
>>> never get anything done...

>>
>> I agree here.
>>
>> I just want to find a pretty reasonable solution.

>
> Well, there's an argument which says that there comes a point where your
> data is *so* sensitive that access to it over the (public) Internet is
> always going to be the wrong solution, irrespective of the technology you
> use... That's why e.g. hashes are salted, otherwise I could simply steal
> your database, get myself a copy of the Oxford English and use every word
> in it as the key until I found a match in your encrypted data. You might
> think that's an extreme example (and you'd be right!), but with the power
> of computers these days, that might be only a few hours' work...
>



 
Reply With Quote
 
Mark Rae
Guest
Posts: n/a
 
      01-03-2007
"tshad" <(E-Mail Removed)> wrote in message
news:%23fNgp%(E-Mail Removed)...

>> NO! And that's the whole point! You don't "store" anything anywhere - you
>> just devise a routine / algorithm / whatever which always generates the
>> same key...
>>

> But then what are you using to Generate the Key?


An algorithm which always generates the same string.

> It needs to come from somewhere, doesn't it?


Yes - itself.

> You need to use the same key to decrypt the data.


That's right.

> In your GenerateKey() don't you pass it something?


No.

> That would have to be stored somewhere.


I guess it would - if that's actually what I was doing...

E.g.

private string GenerateKey()
{
return (2 + 2).ToString();
}


 
Reply With Quote
 
tshad
Guest
Posts: n/a
 
      01-03-2007

"Mark Rae" <(E-Mail Removed)> wrote in message
news:eBf%(E-Mail Removed)...
> "tshad" <(E-Mail Removed)> wrote in message
> news:%23fNgp%(E-Mail Removed)...
>
>>> NO! And that's the whole point! You don't "store" anything anywhere -
>>> you just devise a routine / algorithm / whatever which always generates
>>> the same key...
>>>

>> But then what are you using to Generate the Key?

>
> An algorithm which always generates the same string.
>
>> It needs to come from somewhere, doesn't it?

>
> Yes - itself.
>
>> You need to use the same key to decrypt the data.

>
> That's right.
>
>> In your GenerateKey() don't you pass it something?

>
> No.
>
>> That would have to be stored somewhere.

>
> I guess it would - if that's actually what I was doing...
>
> E.g.
>
> private string GenerateKey()
> {
> return (2 + 2).ToString();
> }

But this wouldn't work for each customer if each customer had to have a
different key, would it?

Tom


 
Reply With Quote
 
Mark Rae
Guest
Posts: n/a
 
      01-03-2007
"tshad" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

>> private string GenerateKey()
>> {
>> return (2 + 2).ToString();
>> }

> But this wouldn't work for each customer if each customer had to have a
> different key, would it?


???

The encryption base class is constant across all clients and projects.

The key generation class is specific to each client and/or each project.



 
Reply With Quote
 
tshad
Guest
Posts: n/a
 
      01-03-2007
"Mark Rae" <(E-Mail Removed)> wrote in message
news:%23qaI$(E-Mail Removed)...
> "tshad" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>> private string GenerateKey()
>>> {
>>> return (2 + 2).ToString();
>>> }

>> But this wouldn't work for each customer if each customer had to have a
>> different key, would it?

>
> ???
>
> The encryption base class is constant across all clients and projects.
>
> The key generation class is specific to each client and/or each project.


So you have a different class for each client/project? Where do you get the
value that you are returning for each client? Is it just some random
number?

Tom


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
storing personalized information, what is best practice? Jeff ASP .Net 1 09-09-2008 11:00 AM
Best Practice for storing keys tshad ASP .Net Security 5 01-05-2007 03:48 AM
Best practice : storing objects in session-variables ? david@nospam.com ASP .Net 9 09-11-2006 09:38 AM
best practice for navigating through a table with arrow keys? PJ6 Javascript 2 12-03-2005 11:26 PM
Remember when your piano teacher taught you, "Practice, practice,practice ...?" Wayne Wastier Windows 64bit 3 06-10-2005 08:29 PM



Advertisments