The fact is that it is pretty easy to track down a hard-coded key. The best solution is to not store a key at all.
Since this is a program that stores passwords, I would guess that the user must enter a master password to access the data. You should use this password to derive an AES key for the data encryption. That way you never have to actually store the key itself. By doing that you also have a built-in way to verify the master password--the user enters the wrong password and they just can't decrypt the data. If that doesn't work for your situation, you might try using the Windows Protected Store to keep track of the key (or part of the key). And if that doesn't work, perhaps you could store part of the key in the registry and make sure that only specifc users have permissions to read that key. Whatever you do, make sure you have strong NTFS permissions on the program and its database to make it harder for it to fall into the wrong hands. Mark Burnett > -----Original Message----- > From: Davie Elliott [mailto:[EMAIL PROTECTED] > Sent: Friday, June 16, 2006 3:02 AM > To: [email protected] > Subject: Securing an encryption key within software. > > > Hello everyone, > > I have been writing a password storing application in Visual > Basic. The passwords are stored in a database and encrypted > with AES 256-bit. > And I have been wondering how I would stop the key from being > found, should the software somehow leave the building and > fall into the wrong hands. > > Using a simple Hex Editor on the software I can see that any > strings that have been defined ("hard coded") in the software > can easily be read. So what I have done is left the "hard > coded" key in the software, but only use it to > encrypt/decrypt the database key the is held in a file, so I have: > > "Hard coded" key [ENCRYPT] Database Key -----> Encrypted key > (Store in a plain text file) > > When the software loads: > > "Hard coded" key [DECRYPT] Encrypted key -----> Database key > (Stored in memory and used to decrypt passwords in the database). > > My worry again, is that if the plaintext file and the > software managed to leave the building, the same situation will occur. > > So, my question is: How does one securely store an encryption > key inside a program? > > I thank you for your input. > > Davie Elliott > Network Administrator > Express Link-Up Social Enterprise > Unit 4-6 > Lenton Business Centre > Lenton Boulevard > Nottingham > NG7 2BY > t: 0115 9791200 > w: www.eluse.co.uk > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
