Best way to 'hide' pass phrases, init vectors etc.. for encryption in a class library

By : Nick
Source: Stackoverflow.com
Question!

I'm adding some encryption methods to a class library (C# 2.0) and would like to know the best place to put the pass phrase, salt value and initialisation vector required. Is it a really bad idea just to hard-code these into the DLL, or should I be be encoding them and storing them somewhere else?

Thanks.

Edit: Further info - encryption required for personal info in database (addresses, phone numbers etc..), no bank/medical type info so solution doesn't need to be too hard-core. Class library will be used on a server for a web-app, encryption methods to be used in the data layer.

By : Nick


Answers

If you're using public key encryption, then you'll want to freely distribute the public key (most likely) and keep access to the private key highly restricted (only on storage media that you know are secure). Either way, it is typical to store keys as base64-encoded strings in XML files. The RSACryptoServiceProvider class has built-in capability to do this, I believe.

By : Noldorin


I had it in mind to use the encryption in basic utility methods mainly for use with a database, but also for configuration data in xml files etc.. and anything else that comes up.

Whatever encryption you use needs keys or pass phrases of one kind or another, I'd like to know where and how you store these strings.

Thanks.

By : Nick


Unless your concern is that your data layer is exposed over a web service and you're concerned about possible interception of the data, it sounds like all you need to do is implement encryption on the database itself and not worry about the application.



This video can help you solving your question :)
By: admin