|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Encryption Scenerioi do not have much experience about encryption. So sorry if my question is a little silly. i have problems about storing KEYS that are used in encryption. i could not decide where should i store my keys or how should i store them. We have this scenario in our Project: We are developing project with server / client architecture. Server should send data to client with encryption. But the thing is users have no idea about 'what the key is' so users also shouldn't see keys in order not to get it stolen or anything else. The First scenario i thought was : server could encrypt data using symmetric encryption. Then server also encrypts symmetric key with asymmetric encryption (with Private Key). Then when user gets data first it will decrypt key with public key and then decrypt data with the key that is just got from first decryption. Everything seems OK but thing is user has Public key. So he/she can get it stolen. I wanted to make public key inaccessible to user. I should store it somewhere that only client program can access it when needed. I thought, i can use DPAPI to store key but this is quite not possible. Because DPAPI uses user credentials, and this does not match our needs. (Different windows users may log on to client program using same account that we gave them.) So is there any way to solve this problem ? My second question is connected to first question. Client will store some sensitive data at his local. This data should be stored encrypted. Again we are having KEY STORAGE problem. Where should i store KEY ? Scenario is this: Client should Generate a Key; This Key will be used for data encryption; Key should be stored safely so as other people cant access it (including Client user.) Is the only way is to use DPAPI ? (sorry for my english) Thanks in advance Erdem KEMER The first scenario sounds taylor made for SSL. Is the main goal to protect
the data on the network? If so, that's the best thing to use. Creating your own key exchange process is very difficult to get right and SSL already does this for you in a well known, well tested way. For the second scenario, using DPAPI is probably the best way to go. It depends a bit on the nature of the data though too. If you are concerned that a problem with the machine might cause a loss of the DPAPI-protected key and thus a loss of the data, you might consider doing something like PKCS7 Enveloped Data, using a certificate that the local user has and a certificate owned by the system. That way, you have a centralized key that can be used to recover the data. If you have a key recovery strategy for the client certificate issued to the user, then this piece might not be needed. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Erdem KEMER" <erdemke***@gmail.com> wrote in message news:OfXgKfZrGHA.3604@TK2MSFTNGP02.phx.gbl... > hi everyone, > > i do not have much experience about encryption. So sorry if my question > is a little silly. > > i have problems about storing KEYS that are used in encryption. i could > not decide where should i store my keys or how should i store them. > > We have this scenario in our Project: > > We are developing project with server / client architecture. Server > should send data to client with encryption. But the thing is users have > no idea about 'what the key is' so users also shouldn't see keys in > order not to get it stolen or anything else. > > The First scenario i thought was : server could encrypt data using > symmetric encryption. Then server also encrypts symmetric key with > asymmetric encryption (with Private Key). Then when user gets data first > it will decrypt key with public key and then decrypt data with the key > that is just got from first decryption. > > Everything seems OK but thing is user has Public key. So he/she can get > it stolen. I wanted to make public key inaccessible to user. I should > store it somewhere that only client program can access it when needed. > > I thought, i can use DPAPI to store key but this is quite not possible. > Because DPAPI uses user credentials, and this does not match our needs. > (Different windows users may log on to client program using same account > that we gave them.) > > So is there any way to solve this problem ? > > My second question is connected to first question. Client will store > some sensitive data at his local. This data should be stored encrypted. > Again we are having KEY STORAGE problem. Where should i store KEY ? > > Scenario is this: > > Client should Generate a Key; > This Key will be used for data encryption; > Key should be stored safely so as other people cant access it (including > Client user.) > > Is the only way is to use DPAPI ? > > (sorry for my english) > > Thanks in advance > Erdem KEMER 
Other interesting topics
Prevent others from using my class libraries
Decryptionfailed to bring original text back.... What's wrong with my encryption function? Newbie Question - Thanks in Advance... Simple Keyed hash question random passwords Getting the Access Permissions for a specific SID on a File / folder Form authentication and files that shouldn'y be authenticated Keyed hash vs Digital signature ???? Security Exception and Windows Vista |
|||||||||||||||||||||||
