English 中文(简体)
Protecting RSACryptoServiceProvider private key with password or otherwise
原标题:

I want to encrypt some server data using .NET s RSACryptoServiceProvider and decrypt it when someone enters a key/password via a web page. What are my options for protecting, or ideally not even storing, the private key on the server, whilst avoiding having the user supply it all each time?

  • Encrypt the private key using a symmetric system and have the user supply the password for that?
  • Store most of the private key on the server but have the user supply N characters of it?
  • Store it in the server s MachineKeyStore and use a secret KeyContainerName as a password?
  • Use CspParameters.KeyPassword in some way which works over the web?
  • Something else?
最佳回答

Other than the hardware approach (HSM or Smartcard), you pretty much have to use one secret to protect another secret. So you keep adding password. My suggestion is to use DPAPI,

http://en.wikipedia.org/wiki/Data_Protection_API

With this approach, you don t create yet another password. User experience is also better because they only have to type in password once at login.

问题回答

Your best option will be to store the private keys in a Hardware Security Module protected by the password with the HSM ensuring that the key is not usable without the password.

If an HSM is not an option (they are quite expensive after all), you should derive a symmetric key using PBKDF2 or a similar strong system an encrypt the private key with that. Using the CSP s password-protection is also an option, but it is somewhat less transparent exactly what is going on, and you have to take care to avoid having the key accesible to domain-administrators etc.





相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

热门标签