Security Basics mailing list archives
Re: Regarding Private key
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 17 Jun 2009 12:33:30 -0430
On Miércoles 17 Junio 2009 05:08:42 manmeet Singh escribió:
Hi all, I am facing a very tedious probelm. I want to know what the various options and how secure are these options. I have a file that contains plaintext.I have to read that file and after first read , encrypt it(AES) and delete the plain text file and save the encryped file.On subsequent reboots, i have to read decrypted text. Now the question is How do i manage the AES key? Storing the AES key/IV in file is one option? (Isnt It same as storing the plain key assuming i dont have any secure storage)
Indeed. If the key is stored on the file, anyone could use it to decrypt the file.
Hard code the AES Key/IV values in the code?
"Reverse engineer" against code could show you the key or a mechanism to decode it. Its more complex that getting the password from the file, but... is also not secure.
What other options are possible. ?
You have three options. 1. Introduce the key manually when your program starts... or... 2. use an external device to store the key. You should protect this external device and remove it when you are not using it... But... There is no answers that could keep your file "automatically encrypted" without the possibility to be reversed. This is the same problem that faced some gamming companies on their consoles. You can obfuscate enough your code, pass antidebuggers, and more. It will only be a wall for non-skilled people. And its matter of time. -------------- (3) The third option is: Use a server to store the key. Also, you could use SSL with preshared certificates to avoid man in the middle attacks and false connections. The only problem is that your program could be cracked and the certificate could be changed. Then MITM attack could be possible and the key could be stoled, and the file decrypted. This is only obfuscation.
Warm Regards, Manmeet Singh ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Regarding Private key manmeet Singh (Jun 17)
- Re: Regarding Private key Stefan Castille (Jun 17)
- Re: Regarding Private key Aarón Mizrachi (Jun 17)
- Re: Regarding Private key Srikanth Dabbiru (Jun 17)
- Re: Regarding Private key Jeffrey Walton (Jun 17)
- <Possible follow-ups>
- Re: Regarding Private key mannirulz30 (Jun 17)
- Re: Regarding Private key ron (Jun 17)