Cryptography.

Discussion in 'ASP .Net Security' started by Bala Nagarajan, Oct 5, 2005.

  1. Hello,
    I am using .NET's cryptography classes(Symmetric algorithm) to
    encrypt/decrypt strings and streams. I want to know the place i should store
    the Key and the IV values for the algorithms?Since these values are
    sensitive information i definitely cannot store them in the code or config
    files. Please elucidate me on this.

    Thanks
    Bala Nagarajan, Oct 5, 2005
    #1
    1. Advertising

  2. Bala Nagarajan

    Brock Allen Guest

    Yeah, key management is a big problem. The way many of the built-in keys
    are managed for ASP.NET is to encrypt them per-machine with yet another key
    and let that key be managed by the LSA. This sounds odd, but I think it's
    the best thing we have. So, look into the DPAPI (DataProtected API) in Win32.
    I think Dominick has a managed wrapper for v1.x and IIRC there's a managed
    wrapper built into v2.0.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen

    > Hello,
    > I am using .NET's cryptography classes(Symmetric algorithm) to
    > encrypt/decrypt strings and streams. I want to know the place i should
    > store
    > the Key and the IV values for the algorithms?Since these values are
    > sensitive information i definitely cannot store them in the code or
    > config files. Please elucidate me on this.
    >
    > Thanks
    >
    Brock Allen, Oct 6, 2005
    #2
    1. Advertising

  3. Bala Nagarajan

    Brock Allen Guest

    Oops, should read "Data Protection" API.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen

    > Yeah, key management is a big problem. The way many of the built-in
    > keys are managed for ASP.NET is to encrypt them per-machine with yet
    > another key and let that key be managed by the LSA. This sounds odd,
    > but I think it's the best thing we have. So, look into the DPAPI
    > (DataProtected API) in Win32. I think Dominick has a managed wrapper
    > for v1.x and IIRC there's a managed wrapper built into v2.0.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >> Hello,
    >> I am using .NET's cryptography classes(Symmetric algorithm) to
    >> encrypt/decrypt strings and streams. I want to know the place i
    >> should
    >> store
    >> the Key and the IV values for the algorithms?Since these values are
    >> sensitive information i definitely cannot store them in the code or
    >> config files. Please elucidate me on this.
    >> Thanks
    >>
    Brock Allen, Oct 6, 2005
    #3
  4. Bala Nagarajan

    [MSFT] Guest

    [MSFT], Oct 6, 2005
    #4
  5. Brock is correct. I have a managed wrapper for V1.x here
    (http://www.theglavs.com/glavtech/Downloads/DPAPI_Wrapper.zip)
    FYI, in V2.0, look into the ProtectedData and ProtectedMemory classes for
    equivalent DPAPI functionality built into the framework.

    --
    - Paul Glavich
    MVP ASP.NET
    http://weblogs.asp.net/pglavich
    ASPInsiders member - http://www.aspinsiders.com


    "Brock Allen" <> wrote in message
    news:...
    > Oops, should read "Data Protection" API.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >> Yeah, key management is a big problem. The way many of the built-in
    >> keys are managed for ASP.NET is to encrypt them per-machine with yet
    >> another key and let that key be managed by the LSA. This sounds odd,
    >> but I think it's the best thing we have. So, look into the DPAPI
    >> (DataProtected API) in Win32. I think Dominick has a managed wrapper
    >> for v1.x and IIRC there's a managed wrapper built into v2.0.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>> Hello,
    >>> I am using .NET's cryptography classes(Symmetric algorithm) to
    >>> encrypt/decrypt strings and streams. I want to know the place i
    >>> should
    >>> store
    >>> the Key and the IV values for the algorithms?Since these values are
    >>> sensitive information i definitely cannot store them in the code or
    >>> config files. Please elucidate me on this.
    >>> Thanks
    >>>

    >
    >
    Paul Glavich [MVP ASP.NET], Oct 11, 2005
    #5
  6. Thanks a lot guys for helping me out.
    My situation is as follows.

    My application will require users to logon to the system by supplying their
    windows credentials.Since i will have a loaded user profile can i use
    DPAPI user specific key to encrypt and decrypt data?Is this a correct
    approach?

    I want to actually encrypt the whole configuration file during set up. I
    intend to encrypt the configuration file and save the encrypted contents to
    a different file and delete config file during the set up. Is this a good
    appproach? If so how can perform this step (namely file delete and save)
    during my set up process?


    Thanks

    -Bala





    "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    news:...
    > Brock is correct. I have a managed wrapper for V1.x here
    > (http://www.theglavs.com/glavtech/Downloads/DPAPI_Wrapper.zip)
    > FYI, in V2.0, look into the ProtectedData and ProtectedMemory classes for
    > equivalent DPAPI functionality built into the framework.
    >
    > --
    > - Paul Glavich
    > MVP ASP.NET
    > http://weblogs.asp.net/pglavich
    > ASPInsiders member - http://www.aspinsiders.com
    >
    >
    > "Brock Allen" <> wrote in message
    > news:...
    >> Oops, should read "Data Protection" API.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>
    >>> Yeah, key management is a big problem. The way many of the built-in
    >>> keys are managed for ASP.NET is to encrypt them per-machine with yet
    >>> another key and let that key be managed by the LSA. This sounds odd,
    >>> but I think it's the best thing we have. So, look into the DPAPI
    >>> (DataProtected API) in Win32. I think Dominick has a managed wrapper
    >>> for v1.x and IIRC there's a managed wrapper built into v2.0.
    >>>
    >>> -Brock
    >>> DevelopMentor
    >>> http://staff.develop.com/ballen
    >>>> Hello,
    >>>> I am using .NET's cryptography classes(Symmetric algorithm) to
    >>>> encrypt/decrypt strings and streams. I want to know the place i
    >>>> should
    >>>> store
    >>>> the Key and the IV values for the algorithms?Since these values are
    >>>> sensitive information i definitely cannot store them in the code or
    >>>> config files. Please elucidate me on this.
    >>>> Thanks
    >>>>

    >>
    >>

    >
    >
    Bala Nagarajan, Oct 17, 2005
    #6
  7. Bala Nagarajan

    [MSFT] Guest

    Hello,

    Why do you need to encrypt the whole config file? An asp.net app couldn't
    live without a config file and it still was exposed to installation user
    after setup.

    Luke
    [MSFT], Oct 18, 2005
    #7
  8. I am sorry for not saying this first. My application is an windows
    application.So my application can live without the config file. Will my
    approach make sense now?

    Thanks
    "[MSFT]" <> wrote in message
    news:D...
    > Hello,
    >
    > Why do you need to encrypt the whole config file? An asp.net app couldn't
    > live without a config file and it still was exposed to installation user
    > after setup.
    >
    > Luke
    >
    Bala Nagarajan, Oct 18, 2005
    #8
  9. Bala Nagarajan

    [MSFT] Guest

    That will be fine. I think your approach is right on the track. ;)

    Luke
    [MSFT], Oct 19, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mauricio Correa L.

    Generating hashes (System.security.cryptography)

    Mauricio Correa L., Jun 18, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    391
    Raterus
    Jun 18, 2004
  2. Dei401
    Replies:
    0
    Views:
    773
    Dei401
    Feb 2, 2005
  3. Apple

    cryptography software

    Apple, Oct 12, 2003, in forum: Java
    Replies:
    1
    Views:
    404
  4. Zheng Da
    Replies:
    2
    Views:
    376
    Zheng Da
    Apr 29, 2006
  5. Replies:
    1
    Views:
    534
    Thomas Matthews
    Nov 2, 2003
Loading...

Share This Page