Store private key in cookie?

Discussion in 'ASP .Net Security' started by Bill Belliveau, Sep 16, 2003.

  1. Greetings,

    I am working on an asp.net storefront that requires credit card information
    to be stored temporarily on the server. Currently the site will feature
    administrative access protected by MD5 and credit card information encrypted
    with Rijndael. Retrieving the information will also be secured by SSL.



    I've seen the question posed a few times but I have yet to see a definitive
    answer. How can I securely store the key/IV? From my readings the general
    consensus is, I can't. Using a MD5 password wont work because the customer
    would need to have access to the password when the information is initially
    encrypted and storing it in the binaries is a poor solution.



    I was thinking of using RSA to encrypt the Rijndael key/IV. My
    implementation would use the public key to encrypt them and then store the
    private key in a cookie on a trusted 'admin' machine. From what I
    understand SSL encrypts all traffic including cookies. To write the cookie,
    the admin might go to a specific page, paste in the xml key, and click write
    cookie. I could encode the cookie if necessary.



    Any ideas are appreciated.



    Bill
     
    Bill Belliveau, Sep 16, 2003
    #1
    1. Advertising

  2. Storing a key in a file somewhere is generally not a good idea, as you are
    not necessarily guaranteed of having correct security permissions on the
    drive + any admin could get the key (I'm not a big believer in admins seeing
    sensitive information, regardless of their rights). I'm not quite
    understanding the architecture of what you are mentioning, but if you want
    to store something like that, you could (and please someone correct me if
    this is not secure) store it in the session object. If you need to store
    the key long-term, XP has an API for storing sensitive information called
    the Data Protection API that stores sensitive information in some protected
    place in the registry. That should be a valid storage place, as it is
    recommended in MS Press' "Writing Secure Code" book.

    "Bill Belliveau" <> wrote in message
    news:...
    > Greetings,
    >
    > I am working on an asp.net storefront that requires credit card

    information
    > to be stored temporarily on the server. Currently the site will feature
    > administrative access protected by MD5 and credit card information

    encrypted
    > with Rijndael. Retrieving the information will also be secured by SSL.
    >
    >
    >
    > I've seen the question posed a few times but I have yet to see a

    definitive
    > answer. How can I securely store the key/IV? From my readings the

    general
    > consensus is, I can't. Using a MD5 password wont work because the

    customer
    > would need to have access to the password when the information is

    initially
    > encrypted and storing it in the binaries is a poor solution.
    >
    >
    >
    > I was thinking of using RSA to encrypt the Rijndael key/IV. My
    > implementation would use the public key to encrypt them and then store the
    > private key in a cookie on a trusted 'admin' machine. From what I
    > understand SSL encrypts all traffic including cookies. To write the

    cookie,
    > the admin might go to a specific page, paste in the xml key, and click

    write
    > cookie. I could encode the cookie if necessary.
    >
    >
    >
    > Any ideas are appreciated.
    >
    >
    >
    > Bill
    >
    >
     
    Keith Patrick, Sep 17, 2003
    #2
    1. Advertising

  3. In fact, CryptoAPI keycontainers automatically make use DPAPI to
    protect private key credentials.
    Whenever possible, it is good practice to exercise use of available
    security infrastructure already provided to you, instead of trying
    to "roll your own" infrastructure.
    Cheers,
    - Mitch Gallant
    MVP Security
    http://pages.istar.ca/~neutron

    "Keith Patrick" <> wrote in message
    news:%...
    > Storing a key in a file somewhere is generally not a good idea, as you are
    > not necessarily guaranteed of having correct security permissions on the
    > drive + any admin could get the key (I'm not a big believer in admins seeing
    > sensitive information, regardless of their rights). I'm not quite
    > understanding the architecture of what you are mentioning, but if you want
    > to store something like that, you could (and please someone correct me if
    > this is not secure) store it in the session object. If you need to store
    > the key long-term, XP has an API for storing sensitive information called
    > the Data Protection API that stores sensitive information in some protected
    > place in the registry. That should be a valid storage place, as it is
    > recommended in MS Press' "Writing Secure Code" book.
    >
    > "Bill Belliveau" <> wrote in message
    > news:...
    > > Greetings,
    > >
    > > I am working on an asp.net storefront that requires credit card

    > information
    > > to be stored temporarily on the server. Currently the site will feature
    > > administrative access protected by MD5 and credit card information

    > encrypted
    > > with Rijndael. Retrieving the information will also be secured by SSL.
    > >
    > >
    > >
    > > I've seen the question posed a few times but I have yet to see a

    > definitive
    > > answer. How can I securely store the key/IV? From my readings the

    > general
    > > consensus is, I can't. Using a MD5 password wont work because the

    > customer
    > > would need to have access to the password when the information is

    > initially
    > > encrypted and storing it in the binaries is a poor solution.
    > >
    > >
    > >
    > > I was thinking of using RSA to encrypt the Rijndael key/IV. My
    > > implementation would use the public key to encrypt them and then store the
    > > private key in a cookie on a trusted 'admin' machine. From what I
    > > understand SSL encrypts all traffic including cookies. To write the

    > cookie,
    > > the admin might go to a specific page, paste in the xml key, and click

    > write
    > > cookie. I could encode the cookie if necessary.
    > >
    > >
    > >
    > > Any ideas are appreciated.
    > >
    > >
    > >
    > > Bill
    > >
    > >

    >
    >
     
    Michel Gallant, Sep 17, 2003
    #3
  4. Bill Belliveau

    Alek Davis Guest

    A minor correction: DPAPI does not store anything anywhere (this is what LSA
    functions do); DPAPI just generates user or machine-specific keys and
    encrypts/decrypts data using these keys.

    It is rather hard to recommend any approach without knowing detailed
    requirements of the application and the infrastructure settings (and I
    cannot quite figure it out from your description). By the way, you don't
    really have to care about protecting IV; generally, IV is not a secret info,
    although it will not hurt if you do.

    If you want to get some idea about common options, which can be used to
    protect application secrets, check this article:
    http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
    (although, I doubt that it will tell you exactly what you need to do in your
    particular case).

    Alek

    "Keith Patrick" <> wrote in message
    news:%...
    > Storing a key in a file somewhere is generally not a good idea, as you are
    > not necessarily guaranteed of having correct security permissions on the
    > drive + any admin could get the key (I'm not a big believer in admins

    seeing
    > sensitive information, regardless of their rights). I'm not quite
    > understanding the architecture of what you are mentioning, but if you want
    > to store something like that, you could (and please someone correct me if
    > this is not secure) store it in the session object. If you need to store
    > the key long-term, XP has an API for storing sensitive information called
    > the Data Protection API that stores sensitive information in some

    protected
    > place in the registry. That should be a valid storage place, as it is
    > recommended in MS Press' "Writing Secure Code" book.
    >
    > "Bill Belliveau" <> wrote in message
    > news:...
    > > Greetings,
    > >
    > > I am working on an asp.net storefront that requires credit card

    > information
    > > to be stored temporarily on the server. Currently the site will feature
    > > administrative access protected by MD5 and credit card information

    > encrypted
    > > with Rijndael. Retrieving the information will also be secured by SSL.
    > >
    > >
    > >
    > > I've seen the question posed a few times but I have yet to see a

    > definitive
    > > answer. How can I securely store the key/IV? From my readings the

    > general
    > > consensus is, I can't. Using a MD5 password wont work because the

    > customer
    > > would need to have access to the password when the information is

    > initially
    > > encrypted and storing it in the binaries is a poor solution.
    > >
    > >
    > >
    > > I was thinking of using RSA to encrypt the Rijndael key/IV. My
    > > implementation would use the public key to encrypt them and then store

    the
    > > private key in a cookie on a trusted 'admin' machine. From what I
    > > understand SSL encrypts all traffic including cookies. To write the

    > cookie,
    > > the admin might go to a specific page, paste in the xml key, and click

    > write
    > > cookie. I could encode the cookie if necessary.
    > >
    > >
    > >
    > > Any ideas are appreciated.
    > >
    > >
    > >
    > > Bill
    > >
    > >

    >
    >
     
    Alek Davis, Sep 25, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. qazmlp
    Replies:
    19
    Views:
    797
    Daniel T.
    Feb 4, 2004
  2. DaveLessnau
    Replies:
    3
    Views:
    428
    Howard
    May 16, 2005
  3. pmkatz
    Replies:
    0
    Views:
    398
    pmkatz
    Aug 25, 2004
  4. M P
    Replies:
    1
    Views:
    479
  5. Richard  Lawrence

    HTTP::Cookie won't store sent cookie

    Richard Lawrence, Mar 17, 2005, in forum: Perl Misc
    Replies:
    4
    Views:
    193
    Richard Lawrence
    Mar 21, 2005
Loading...

Share This Page