Would generating a random key be an option if you have a password protected backup/export?
I guess the thing that will influence this most is that it really depends on when you encrypt the data in the xml file, if it as at install time this might work. it might look a little like this: 1) generate random key for app. 2) get a password from the user. 3) generate key from password. 4) encrypt app key to file using the password generated key give the user the option of replacing the random key with the one in the file, prompt for password and decrypt key and store decrypted key in dpapi. and optionally, for a smoother user experience, you could prompt during install to create/use the file, but I guess that will depend a little on WISE. I believe this is what MS use in Enterprise Single Sign-on given that the procedure is somewhat similar. it does have the advantage of you not having to take responsibility for distributing a key, whilst allowing the user to make a backup / install on more than one machine. HTH James On Thu, Mar 20, 2008 at 8:25 PM, Robert Lee <[EMAIL PROTECTED]> wrote: > Steve, > > Thanks for the suggestion. I have a routine that creates a key from a > password, using SHA512. The problem is distributing the password, or the > key. > > I will look into encrypting the key into a file here before release, and > then distributing the key file, and certificate, but I'm not sure how > secure > that is. It wouldn't be to hard with reflector to figure out that > certificate A is used to decrypt file B, .... and reproduce the code. > > Maybe I could deploy an encrypted file and certificate, then have the > service get the key from the file and move it into protected storage, then > delete the file, and certificate. It would still be evident what I did, > but > the file and certificate would be gone, so someone would have to actually > reinstall the application, and block the service from starting (the > service > is currently started by the installer) to get to the file. > > As someone else pointed out, I may also be able to get the key into > protected storage during installation, I will also have to look into that > option using Wise. > > Thanks again, this gives me more work with. > Rob > > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Johnson > Sent: Thursday, March 20, 2008 3:39 PM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] Key storage. > > I would suggest you either derive the key from a strong password or > encrypt > the key using a certificate. > > > -- > Steve Johnson > > On Thu, Mar 20, 2008 at 1:27 PM, Robert Lee <[EMAIL PROTECTED]> wrote: > > > Maybe someone can help shed some light on this subject for me. > > > > > > > > I am encrypting several values (using AES) before storing them to an xml > > file, and I have yet to find an example, or explanation of how to get my > > key > > into protected storage the first time. > > > > The examples I've seen so far create a random key (unique to the > machine), > > and then store that key (encrypting the key via DPAPI). In this case I > > need > > to be able to transfer the file to another machine for support, or in > case > > of a crash, so a random key is out, and any key created in code is > visible > > to anyone with reflector, so that's out. I also can't have the user > enter > > a > > key, as we have a large installed base, and that would compromise the > key. > > > > > > > > I have read an article suggesting to use a web service, but that seems > to > > be > > a bit extreme just to get a key onto a machine. > > > > > > > > Thanks for any insight or suggestions, > > > > Rob Lee > > > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
