Steve, Thanks for the suggestion. I have a routine that creates a key from a password, using SHA512. The problem is distributing the password, or the key.
I will look into encrypting the key into a file here before release, and then distributing the key file, and certificate, but I'm not sure how secure that is. It wouldn't be to hard with reflector to figure out that certificate A is used to decrypt file B, .... and reproduce the code. Maybe I could deploy an encrypted file and certificate, then have the service get the key from the file and move it into protected storage, then delete the file, and certificate. It would still be evident what I did, but the file and certificate would be gone, so someone would have to actually reinstall the application, and block the service from starting (the service is currently started by the installer) to get to the file. As someone else pointed out, I may also be able to get the key into protected storage during installation, I will also have to look into that option using Wise. Thanks again, this gives me more work with. Rob -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Steve Johnson Sent: Thursday, March 20, 2008 3:39 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Key storage. I would suggest you either derive the key from a strong password or encrypt the key using a certificate. -- Steve Johnson On Thu, Mar 20, 2008 at 1:27 PM, Robert Lee <[EMAIL PROTECTED]> wrote: > Maybe someone can help shed some light on this subject for me. > > > > I am encrypting several values (using AES) before storing them to an xml > file, and I have yet to find an example, or explanation of how to get my > key > into protected storage the first time. > > The examples I've seen so far create a random key (unique to the machine), > and then store that key (encrypting the key via DPAPI). In this case I > need > to be able to transfer the file to another machine for support, or in case > of a crash, so a random key is out, and any key created in code is visible > to anyone with reflector, so that's out. I also can't have the user enter > a > key, as we have a large installed base, and that would compromise the key. > > > > I have read an article suggesting to use a web service, but that seems to > be > a bit extreme just to get a key onto a machine. > > > > Thanks for any insight or suggestions, > > Rob Lee > =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
