c# - How to securely handle AES “Key” and “IV” values -

-

if use aes (system.security.cryptography) encrypt , decrypt blob or memo fields in sql server, store “key” , “iv” values on server? (file, regkey, dbase,...)

and protection of aes “key” , “iv” values?

the background question more : if “they” hack server , dbase... can program encryption stuff (it's on same server, can't it)... , if "they" good, notice “key” , “iv” values stored...(.net 4.5 ilspy) , can decrypted again.

please advice? how handle aes “key” , “iv” value’s?

ps: not pwd fields... so, it's not hashing... pure data cryptography.

the iv has been thoroughly covered other answers, i'll focus on storing key.

first...

i can't except not done on single server @ software level.

anything done in software can undone in software. can encrypt, hide, , lock in many safes want, application still needs able access key. if application has access, same level of access application able well.

developers have been dealing problem long time , there no silver bullet.

this setup in single server environment (application plus dbase), i’m not able send/retrieve key second server. also, in “special” case i’m not able encrypt key machine-level or user-level rsa key container.

i can think of 2 possible solutions.

option 1:

store key on disk and, @ os level, configure file access account application running under can read file key contained in. file flat file, or encrypted container that's protected password application knows (up decide, encrypted container better).

pros:

  • restarts without human intervention.

cons:

  • you have os security right , there no room error.
  • an attacker administrator access can key.

another similar option use dpapi instead of files storing key (as long you're able given "special case"). api built in windows utilizes password whatever windows account (or application) running under securely store data. windows account stored data able retrieve it.

one particularly nice feature of dpapi that, if administrator resets users password (via computer management), access users dpapi data lost. attacker need compromise actual account used store data in first place without resetting password.

option 2:

require pass phrase entered person @ application start , derive encryption key pass phrase. once have key, discard pass phrase , retain key in memory only.

pros:

  • the key never on disk.
  • even if server rooted, getting key not simple task.

cons:

  • automated reboots not possible.
  • you'll have share pass phrase handling support.
  • you need keep in mind data stored in memory may transparently written disk in situations.

or compromise between these 2 systems where, pass phrase used derive encryption key held in memory, , key temporarily written disk or encrypted container whenever application gracefully restarted. when restart complete application loads key , deletes temporary storage (and if necessary, sure overwrite disk location key stored can't recovered).


Comments

Post a Comment

Popular posts from this blog

java - JavaFX 2 slider labelFormatter not being used -

-
i have following code not label slider "foo50", etc... 1 expect setlabelformatter call, instead seems have no effect (the slider labelled 50, 100, etc , println's dont run). there missing? not implemented in default 2.2 skin? using oracle java 7 package javafxbugtest; import javafx.application.application; import javafx.scene.*; import javafx.scene.control.*; import javafx.stage.*; import javafx.util.stringconverter; public class javafxbugtest extends application { @override public void start(final stage primarystage) { slider cp = new slider(); cp.setlabelformatter(new stringconverter<double>() { @override public string tostring(double t) { system.out.println("nope?"); return "foo" + t.tostring(); } @override public double fromstring(string string) { system.out.println("he
Read more

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

-
the current version of mozilla firefox 23.0.1, version not support play mp3 shoutcast streams tcp port different 80 (most common 8000 shoutcast 1.9.8). i use flash when mp3 support not available in html5 audio, way detect is: try{ var = document.createelement('audio'); r = !!(a.canplaytype && !!a.canplaytype("audio/mpeg; codecs=mp3").replace(/^no$/,'')) }catch(e){ r = false; } the support mp3 shoutcast streams in firefox added in version 24 . a.canplaytype("audio/mpeg; codecs=mp3") = in chrome , firefox, chrome support, firefox not support, due current code detect not work firefox. the current version of jquery support ie 6 1.10.2, version not has .browser i think "stylized" way testing features , not querying browsers / versions, notwithstanding here see hard not violate "principle". what "stylized" way of detect mp3 icy support without navigator.useragent in firefox? ther
Read more

web - SVG not rendering properly in Firefox -

-
i have problem svg renderring in firefox. whilst works in safari, chrome or in ie, doesn't work in firefox. inspecting element seems layers there, background visible if it's z-index higher z-index of others. rendered in firefox: svg logo in firefox link original source file: svg file thanks help. ps: used sketch 3 export svg. if helps somehow. you're experiencing bug 995813 . i fixed bug time ago change still making way through release process example display correctly firefox 31 onwards released on 22 july 2014. in meantime if move fill="white" <mask> element child <use> element work around firefox bug.
Read more