Security Basics mailing list archives
Re: Regarding Private key
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 17 Jun 2009 13:48:59 -0400
Hi Manmeet,
Now the question is How do i manage the AES key?
If on Windows, one generally stores the key in CAPI (ie, the WinCrypt gear). In essence, you are deferring to the Operating System. I'm not sure what/how Linux handles secure storage.
Storing the AES key/IV in file is one option?
The key and IV have different security requirements. The IV can be stored in the plaintext. I usually store it as byte [0-15] of the file. That is, prepend it to the file. The key is a different story.
Hard code the AES Key/IV values in the code?
Negative.
What other options are possible. ?
See Howard and LeBlac's 'Writing Secure Code', Chapter 9: Protecting Secret Data. Finally, encryption alone is usually not enough. Anywhere you use encryption alone, you should also use authentication. The quickest fix is to use an authenticated encryption mode (EAX, CCM, GCM, CWC, etc) rather than CBC. Whatever you do, don't roll your own scheme - it is easy to get wrong. In the past, both SSH and SSL were defective. See http://www.codeproject.com/KB/security/EncryptThenAuthenticate.aspx. Jeff On 6/17/09, manmeet Singh <mannirulz30 () yahoo com> wrote:
Hi all, I am facing a very tedious probelm. I want to know what the various options and how secure are these options. I have a file that contains plaintext.I have to read that file and after first read , encrypt it(AES) and delete the plain text file and save the encryped file.On subsequent reboots, i have to read decrypted text. Now the question is How do i manage the AES key? Storing the AES key/IV in file is one option? (Isnt It same as storing the plain key assuming i dont have any secure storage) Hard code the AES Key/IV values in the code? What other options are possible. ? Warm Regards, Manmeet Singh [SNIP]
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Regarding Private key manmeet Singh (Jun 17)
- Re: Regarding Private key Stefan Castille (Jun 17)
- Re: Regarding Private key Aarón Mizrachi (Jun 17)
- Re: Regarding Private key Srikanth Dabbiru (Jun 17)
- Re: Regarding Private key Jeffrey Walton (Jun 17)
- <Possible follow-ups>
- Re: Regarding Private key mannirulz30 (Jun 17)
- Re: Regarding Private key ron (Jun 17)