symmetric Cryptography, distribution of the key

Topics: Cryptography Application Block
May 16, 2008 at 12:35 PM
Hello,

I have just used the Cryptography Application Block in my application using RjndaelManaged symmetric Cryptography Provider and successfully encrypted and decrypted the data on same machine.

The crypted string is encrypted and decrypted on the same machine.

My problem is the following: How can I distribute the Key file (containing the public key) on the pc where I want to deploy my software?

I read previous posts on this site, I only found that I need to set permissions on the key file? Is it the only way to deploy my application?

Thank you for your help
May 16, 2008 at 2:42 PM
Hi,

You can use the configuration tool to help you with this, as described in the "Distributing Keys" section in the help topic "Deploying the Cryptography Application Block".

Hope this helps,
Fernando


hmppwork wrote:
Hello,

I have just used the Cryptography Application Block in my application using RjndaelManaged symmetric Cryptography Provider and successfully encrypted and decrypted the data on same machine.

The crypted string is encrypted and decrypted on the same machine.

My problem is the following: How can I distribute the Key file (containing the public key) on the pc where I want to deploy my software?

I read previous posts on this site, I only found that I need to set permissions on the key file? Is it the only way to deploy my application?

Thank you for your help


May 26, 2008 at 7:37 AM

Thank you for your help Fernando<o:p></o:p>

<o:p>
</o:p>I’ve used this link (what you have described) : <o:p></o:p>

ms-help://ms.EntLib.2007May/EnterpriseLibrary/html/03-180-Deploying_the_Cryptography_Application_Block.htm

It is still not clear for me,<o:p></o:p>

  1. I’ve developed an application who crypt a password.<o:p></o:p>
  2. Ive tested the application (same pc as for the developpement), she worked well.<o:p></o:p>
  3. I’ve made a setup (in order to deploy this application on another pc).<o:p></o:p>
  4. At this point it is hard for me:<o:p></o:p>
    1. With my setup, I can try to install my application<o:p></o:p>
    2. After the installation of the software, I modify the path of the protectedKey (c:\PublicKeyCrypt.key)<o:p></o:p>

<o:p> </o:p>

<symmetricCryptoProviders><o:p></o:p>

<o:p></o:p>

        protectedKeyFilename="c:\PublicKeyCrypt.key"<o:p></o:p>

        protectedKeyProtectionScope="LocalMachine" <o:p></o:p>

<o:p></o:p>

    </symmetricCryptoProviders><o:p></o:p>

<o:p> 
</o:p>

    1. I tested my application, it is ok<o:p></o:p>
  1. But, I deployed the same key as for the developpement. My problem is : anyone who has this key can easily write a dot net application and try to read my crypted password. Where is the security?<o:p></o:p>
May 26, 2008 at 2:08 PM

Hi,

If I understand your situation correctly, you're creating an installer that contains encrypted information. If that's the case, you are of course forced to use the same key to decrypt the information!

Now, you're not forced to use the same key you used for development in your install package. Create the install package in a secure location using a version of the security-sensitive content encrypted with a different key that you keep to yourself.

Keep in mind that you need to ensure the key file is properly secured in the install location. The password it contains will be encrypted using DPAPI, but if you use the Machine mode then anybody who can log in that machine can read the encrypted key and decrypt it using the configuration tool. If you need to use the Machine DPAPI mode, then you need to protect the key file denying read access.

Hope this helps,
Fernando