If you're at all concerned about a dictionary attack I think you're going to want to add a "salt" to that hash.
Do I take it that the clients will also need to *decrypt* these secret values? If so, I think you're going to have a hard time keeping the decryption key from people with reflector (which I guess is what prompts your question ;-). How about an obfuscator? That would discourage a large chunk of possible attackers, I'd think. If your clients *don't* need to decrypt, then you should be able to use an asymmetric key system like RSA & distribute just the public key with your app. HTH, -Roy -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Robert Lee Sent: Thursday, March 20, 2008 1:25 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Key storage. Steve, Thanks for the suggestion. I have a routine that creates a key from a password, using SHA512. The problem is distributing the password, or the key. I will look into encrypting the key into a file here before release, and then distributing the key file, and certificate, but I'm not sure how secure that is. It wouldn't be to hard with reflector to figure out that certificate A is used to decrypt file B, .... and reproduce the code. Maybe I could deploy an encrypted file and certificate, then have the service get the key from the file and move it into protected storage, then delete the file, and certificate. It would still be evident what I did, but the file and certificate would be gone, so someone would have to actually reinstall the application, and block the service from starting (the service is currently started by the installer) to get to the file. As someone else pointed out, I may also be able to get the key into protected storage during installation, I will also have to look into that option using Wise. Thanks again, this gives me more work with. Rob -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Steve Johnson Sent: Thursday, March 20, 2008 3:39 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Key storage. I would suggest you either derive the key from a strong password or encrypt the key using a certificate. -- Steve Johnson On Thu, Mar 20, 2008 at 1:27 PM, Robert Lee <[EMAIL PROTECTED]> wrote: > Maybe someone can help shed some light on this subject for me. > > > > I am encrypting several values (using AES) before storing them to an > xml file, and I have yet to find an example, or explanation of how to > get my key into protected storage the first time. > > The examples I've seen so far create a random key (unique to the > machine), and then store that key (encrypting the key via DPAPI). In > this case I need to be able to transfer the file to another machine > for support, or in case of a crash, so a random key is out, and any > key created in code is visible to anyone with reflector, so that's > out. I also can't have the user enter a key, as we have a large > installed base, and that would compromise the key. > > > > I have read an article suggesting to use a web service, but that seems > to be a bit extreme just to get a key onto a machine. > > > > Thanks for any insight or suggestions, > > Rob Lee > =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
