i am starting to use cryptostream class. i may be wrong, if you encrypt something, close the app, and then try to decrypt it, it will not be able to because a different key will be generated. because i do need this functionality, i am wondering if it's possible to save the key in application settings and whether this is the right way to go?
+1
A:
Lots of applications save the keys in configuration files. It's a common bad practice.
It's not secure but all secure options are hard to implement. There are options using different factors,
You can derive the key from a password using PBE (password-based encryption). But you have to enter a password to start your application. This is so called "What you know" factor.
Put the key in a smartcard. This is very secure but you need to have access to the card on the machine. This is called "What you have".
Ignore other schemes involving encrypting keys with yet another key. It doesn't really change the security strength.
ZZ Coder
2009-08-11 16:41:44
cool so how do i use pbe in vb.net?
I__
2009-08-11 16:43:32
what about reading something in the registry?
I__
2009-08-11 16:59:58
http://msdn.microsoft.com/en-us/magazine/cc164054.aspx "Storing Encrypted DataUnless you have a compelling reason to do otherwise, store encrypted data in the application configuration files or Windows registry. The main advantages of both options include the ability to protect data using ACLs and the ease of programmatic access. Any other type of data storage is likely to lack at least one of these advantages and even though it might add another benefit, it is unlikely to justify the extra implementation effort"
I__
2009-08-11 17:30:04
For using PBE in VB, see http://www.example-code.com/vbdotnet/crypt2_pbes2.asp
ZZ Coder
2009-08-11 18:25:09
+1
A:
If you always run your app under the same user account (it can be a local user or a domain user), the best option would be to use DPAPI. The advantage of using DPAPI is that you do not have to worry about the key (the system generates it for you). If you run the app under different user identities, then it gets more complex because the options that are available range from bad to worse (the major problem is: how do you protect your secret: key, password, passphrase, etc). Depending on what you want to do, you may not need to use encryption at all (e.g. if you want to encrypt a connection string, consider using integrated windows authentication, which does not require a password). For more info on the topic, check out this MSDN article: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code; it may give you some ideas.
Alek Davis
2009-08-11 17:08:02
My answer assumed that this application does not require user interaction, e.g. Windows Service. If the app requires user interaction and for some reason it cannot use DPAPI (say, it's executed by different users, who need access to the same data), then the easies way would be to prompt the user to enter password/passphrase and derive key from it.
Alek Davis
2009-08-11 17:11:41
aleks - this is very very very good thank you very much. i am going with DPAPI
I__
2009-08-11 17:44:31
Just make sure that you use DPAPI with user store (key); otherwise, with machine key encryption, any other app will be able to decrypt data on this computer. You also need to understand limitations (e.g. if you reset a forgotten password for a local user, DPAPI will not decrypt data; not a problem for domain user, though).
Alek Davis
2009-08-11 20:30:40
alek, sorry i dont undersatnd what this means can you elaborate: "Just make sure that you use DPAPI with user store (key);"
I__
2009-08-11 21:06:21
DPAPI supports two kinds of encryption keys: one is specific to computer (any application running on computer can decrypt data encrypted with machine key by any other application, so it's not very safe), another key is specific to user under which account the application runs (to be able to decrypt data encrypted with user key, an application must run under the same account as the application that encrypted data). In DPAPI terminology, "store" (e.g. user store) refers to key. User store is generally more secure but imposes more restrictions (e.g. ASP.NET apps generally cannot use it).
Alek Davis
2009-08-11 22:21:17