I need a way to protect a private key on a mobile device.
I know in "Writing Secure Code" chapter "Protecting Secret Data" says "Windows CE" cannot be used in secure environments. But the book is many years old now, 2003.
Is this still the case? Tell me it ain't so. There has to be a way to secure a private key today.
The DPAPI is embodied in a set of Win32 functions, CryptProtectData and CryptUnprotectData. These functions are available on Windows CE and Windows Mobile platforms (see links), although I don't know at what version they added support.
The .NET wrapper for the DPAPI is the ProtectedData class in System.Security.Cryptography namespace (assembly System.Security.dll). However, I don't think .NET Compact Framework implements this yet, so you'll have to use P/Invoke if using .NET.
http://www.windowsfordevices.com/news/NS5217487259.html?kc=rss
Webcast covers security for Windows Mobile programmers
This looks like it will be good.
If the a user has access to a device, then no you can not 100% securely store a key. You can raise the bar but you cannot remove it.
You have to externalize the access to the key, e.g. User entered username and/or password or sent to the device via another method (e.g. asymmetric encryption over a network connection). Which is what the security for Windows Mobile programmers recommends.
Any way you store the key on the device can be reverse engineered. This includes the use of CryptProtectData and CryptUnprotectData API.