Key Containers, secure enough to store private keys ?

Question

I was reading about Key Containers in .NET as a secure a place to store a private key for asymmetric cryptography and digital signing.

My question is how secure is the Key Container? because I've found out if I know the key container name, then i will be able to retrieve the private key using the following:

// Create the CspParameters object and set the key container 
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = ContainerName;

// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);

// Display the key information to the console.
Console.WriteLine("Key retrieved from container : \n {0}", rsa.ToXmlString(true));

Are Key Containers a secure place to store private keys ?

Answer 1

That really depends on your requirements.

The keystore behind RSACryptoServiceProvider is really the CryptoAPI key store. Keys here are stored on the filesystem protected under the user credentials (if using the user store) or the machine credentials (if using the machine store). This means that an attacker that has access to the proper credentials will be able to extract the private key.

This will be true for all crypto implementations that do not store the key in a smartcard, hardware security module, TPM chip etc.

To protect against a less capable attacker, the CryptoAPI and hence RSACryptoServiceProvider gives you the possibility of setting the key to non-exportable. This means that CryptoAPI/.NET will refuse to perform the private key export for you (but a knowledgeable attacker will still be able to work around this). To do this, generate the key with CspProviderFlags.UseNonExportableKey.

You can also use CspProviderFlags.UseUserProtectedKey which will ask the user for confirmation and an optional additional password whenever the private key is used.