HOW TO: store keys?

Discussion in 'ASP .Net' started by Nobody, Nov 2, 2006.

  1. Nobody

    Nobody Guest

    I'm new to ASP.NET, so I'm trying to write a simple store front to get me
    into things. Obviously with users and such, I need to encrypt the passwords.
    No problem there. I wrote a little encryption / decryption routine to
    provide a 2 way mechanism (to allow for emailing users the passwords). I'm
    using TripleDESCryptoServiceProvider with the EncryptedXml class.

    Anyways, I end up with a string (base-64 encoded version of the encrypted
    password). I store the encrypted version of the string in a SQL database as
    a varchar type.

    Now the question is, where can I store the decryption key? I can't store it
    in the Session or Application objects for obvious reasons. I need to have
    the same key for decrypting even if the server is shut down.

    I was storing it in the registry, under HKLM\Software\MyCompany, but somehow
    while googling tonight, I stumbled onto the fact that in a deployed real
    world environment, the web site is going to run under the ASPNET user which
    wouldnt have access to the registry key, but the development server runs
    under my own user account which does.

    Should I be storing it in the registry? or in the database? or where? I kind
    of frowned upon storing it in the same place as the encrypted passwords, so
    if a hacker compromised one place or another, he wouldn't have the plaintext
    passwords.

    A file of some sort in the App_Data directory seems equally hokey.

    NOTE: Basically the key is generated by the DES provider the first time a
    string is encrypted. That key is stored in the registry and used from then
    on.

    Any insight on where the keys should be stored would be appreciated.
     
    Nobody, Nov 2, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sandeep Kanwal

    serial keys/validation keys

    sandeep Kanwal, Oct 29, 2004, in forum: C++
    Replies:
    1
    Views:
    593
    Mike Wahler
    Oct 29, 2004
  2. Harry George
    Replies:
    9
    Views:
    723
    sonal
    Jun 13, 2006
  3. Replies:
    10
    Views:
    736
    Daniel T.
    Feb 3, 2006
  4. alan
    Replies:
    3
    Views:
    375
    Victor Bazarov
    Nov 28, 2007
  5. A. Farber
    Replies:
    10
    Views:
    244
    A. Farber
    Jun 12, 2004
Loading...

Share This Page