Best way to 'hide' pass phrases, init vectors etc.. for encryption in a class library

Question

I'm adding some encryption methods to a class library (C# 2.0) and would like to know the best place to put the pass phrase, salt value and initialisation vector required. Is it a really bad idea just to hard-code these into the DLL, or should I be be encoding them and storing them somewhere else?

Thanks.

Edit: Further info - encryption required for personal info in database (addresses, phone numbers etc..), no bank/medical type info so solution doesn't need to be too hard-core. Class library will be used on a server for a web-app, encryption methods to be used in the data layer.

Answer 1

If you hard-code you initialisation vector and key into the DLL, then you really may as well forgo encryption altogether. If you could tell us a bit more about the reason you're using encryption here and how the data needs to be accessed precisely, perhaps I can suggest how you can make it secure.

EDIT: You'll probably want to use public key encryption for this purpose (the RSA algorithm specifically, as it's known to be secure, and is implemented fully in the .NET framework). It's asymmetric, which means that it requires a different key to encrypt (public) and decrypt (private) data. Although I'm still not totally sure how your system works, I suspect you'll just need to restrict access to the private key to just those people who are able to view the database information - you certainly don't want to store it at the same location as the database. Public key can essentially be given to anyone, as it just allows you to encrypt data to be put in the database (assuming write-access to the database is properly restricted). Anyway here are some links to get you started:

• http://stackoverflow.com/questions/384401/implementing-rsa-in-c
• http://www.dotnetspider.com/resources/692-RSA-Encryption-C.aspx
• http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryptoserviceprovider.aspx

Hope that helps.

Answer 2

Unless your concern is that your data layer is exposed over a web service and you're concerned about possible interception of the data, it sounds like all you need to do is implement encryption on the database itself and not worry about the application.

Answer 3

I had it in mind to use the encryption in basic utility methods mainly for use with a database, but also for configuration data in xml files etc.. and anything else that comes up.

Whatever encryption you use needs keys or pass phrases of one kind or another, I'd like to know where and how you store these strings.

Thanks.

Answer 4

If you're using public key encryption, then you'll want to freely distribute the public key (most likely) and keep access to the private key highly restricted (only on storage media that you know are secure). Either way, it is typical to store keys as base64-encoded strings in XML files. The RSACryptoServiceProvider class has built-in capability to do this, I believe.