Security Basics mailing list archives

Re: Regarding Private key

From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 17 Jun 2009 13:48:59 -0400

Hi Manmeet,

 Now the question is How do i manage the AES key?

If on Windows, one generally stores the key in CAPI (ie, the WinCrypt
gear). In essence, you are deferring to the Operating System.

I'm not sure what/how Linux handles secure storage.

 Storing the AES key/IV in file is one option?

The key and IV have different security requirements. The IV can be
stored in the plaintext. I usually store it as byte [0-15] of the
file. That is, prepend it to the file. The key is a different story.

 Hard code  the AES Key/IV values  in the code?

Negative.

 What other options are possible. ?

See Howard and LeBlac's 'Writing Secure Code', Chapter 9: Protecting
Secret Data.

Finally, encryption alone is usually not enough. Anywhere you use
encryption alone, you should also use authentication. The quickest fix
is to use an authenticated encryption mode (EAX, CCM, GCM, CWC, etc)
rather than CBC. Whatever you do, don't roll your own scheme - it is
easy to get wrong. In the past, both SSH and SSL were defective. See
http://www.codeproject.com/KB/security/EncryptThenAuthenticate.aspx.

Jeff

On 6/17/09, manmeet Singh <mannirulz30 () yahoo com> wrote:


 Hi all,
 I am facing a very tedious probelm. I want to know what the various options and how secure are these options.

 I have a file that contains plaintext.I have to read that file and after first read , encrypt it(AES) and delete the 
plain text file and save the encryped file.On subsequent reboots, i have to read decrypted text.

 Now the question is How do i manage the AES key?
 Storing the AES key/IV in file is one option? (Isnt It same as storing the plain key assuming i dont have any secure 
storage)
 Hard code  the AES Key/IV values  in the code?
 What other options are possible. ?


 Warm Regards,
 Manmeet Singh

 [SNIP]


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Regarding Private key manmeet Singh (Jun 17)
- Re: Regarding Private key Stefan Castille (Jun 17)
- Re: Regarding Private key Aarón Mizrachi (Jun 17)
- Re: Regarding Private key Srikanth Dabbiru (Jun 17)
- Re: Regarding Private key Jeffrey Walton (Jun 17)
- <Possible follow-ups>
- Re: Regarding Private key mannirulz30 (Jun 17)
- Re: Regarding Private key ron (Jun 17)