Asp.net and Encryption: Where to store the keys?

Discussion in 'ASP .Net' started by David, Sep 1, 2005.

  1. David

    David Guest

    One thing that's always puzzled me about implementing encryption on
    remote asp.net apps is where to store the keys. The demo code indicate
    that you include them in a configuration file, but this would seem to
    defeat the purpose. If someone obtained the configuration file and
    they knew the encryption method, then they could decrypt your data.

    Storing them hard-coded in the app is just as bad, since it can be
    disassembled. Obfuscation could help, but the string would still be
    obtainable.

    So, my question is, how should encryption keys be handled?

    Ideas? Pointers to good articles on the subject?

    Thanks
     
    David, Sep 1, 2005
    #1
    1. Advertising

  2. Ah, yes, you've stumbled across the question everybody wants the answer to.
    But there is no one answer. If everybody stored their keys in the same
    place then hackers would know exactly where to attack.
    Here's an interesting thread on the topic:
    http://www.issociate.de/board/post/247319/Encryption_Key_Storage.html

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://SteveOrr.net


    "David" <> wrote in message
    news:...
    > One thing that's always puzzled me about implementing encryption on
    > remote asp.net apps is where to store the keys. The demo code indicate
    > that you include them in a configuration file, but this would seem to
    > defeat the purpose. If someone obtained the configuration file and
    > they knew the encryption method, then they could decrypt your data.
    >
    > Storing them hard-coded in the app is just as bad, since it can be
    > disassembled. Obfuscation could help, but the string would still be
    > obtainable.
    >
    > So, my question is, how should encryption keys be handled?
    >
    > Ideas? Pointers to good articles on the subject?
    >
    > Thanks
     
    Steve C. Orr [MVP, MCSD], Sep 2, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Randall Parker

    Encryption keys for cookies and https

    Randall Parker, Dec 7, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    477
    Daniel Fisher\(lennybacon\)
    Dec 7, 2005
  2. =?Utf-8?B?YW5vb3A=?=
    Replies:
    0
    Views:
    438
    =?Utf-8?B?YW5vb3A=?=
    Mar 19, 2007
  3. Danny
    Replies:
    2
    Views:
    2,289
    GodSpeed
    Dec 26, 2010
  4. Bob H

    encryption and it's keys

    Bob H, Feb 13, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    148
    Alek Davis
    Feb 13, 2004
  5. Scott Meddows

    Passing around encryption keys...

    Scott Meddows, Sep 30, 2003, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    185
    Scott Meddows
    Oct 6, 2003
Loading...

Share This Page