EntLib 2.0 Cryptography Block without keyfile

Topics: Cryptography Application Block
Dec 27, 2007 at 4:44 PM
Is it possible to use the ENTLIB Cryptography Block without using a keyfile. In addition to keyfile management my team is also concerned about performance. In this particular instance, we are using the cryptography block to enccrypt and decrypt query strings and the crypto block would see heavy usage.

Does anyone have any recommendations?

Also, are there known performance issues?

Dec 27, 2007 at 11:16 PM
Edited Dec 28, 2007 at 2:54 PM
Yes and no. You cannot use the existing SymmetricAlgorithmProvider without using encrypted files, but you could create your own provider that doesn't use files. But there is a reason why the existing provider works like it does; the pre v2 implementation did keep the password in the (potentially encrypted) configuration file, but it didn't pass the security review with more stringent requirements (see the details in http://blogs.msdn.com/tomholl/archive/2005/11/16/493672.aspx).

Now, I would assume you will eventually decrypt the encrypted query strings into plain strings to perform the queries, and by doing that you would leave them lying around in memory thus opening an attack window. But there's little you can do about this for now.

While it doesn't deal with the key management aspect, you could keep your query strings as SecureStrings after you retrieve them from where you're keeping them and decrypt them. It may or may not improve the performance in your scenario (my guess is it would, but not by a lot).

Hope this helps,