Secure way to store key in C# application

0 投票
最新提问 用户: (120 分)

I am aware this question has been asked many times. But mine is related to my program design. So please read through my question.I have designed a c# light control application. The application owns a local SQL db to store user connection details including the keys to connect the server. The login page has ADD NEW CONNECTION button which prompts user to add connection details such as username, host address, key to paste option.

During app initial set up at the customer side, all I need to do is to send the key file to customer for the first time in email but it had to be hashed/encrypted so it cannot just be easily used. As of now, I designed a standalone application to take a key file, hash it, appends salt and send that hashed key file to the customer.

What I really want is, the customer needs to enter hashed key file in the login page for validation. As I have used hashed key file for validation, I need to store the original key file somewhere safe in application to be hashed and compared it with the one sent by email.

  1. Is it a secure way to do it?

  2. Do I need to keep in separate db for admin for the initial set up to store the original key file?

Also, I have another problem how this activity could be tied up with already existing Add new connection button?

  1. Can I opt for encryption instead of hashing? If yes, how can it be done?

Please share your thoughts on this. I want the most secure way to protect the key. Thanks in advance for your help.

发表于 用户: (100 分)
Sorry can't really give you an exact solution for your problem since it is very broad. But heres a resource which might serve you well: nvlpubs.nist.gov/nistpubs/SpecialPublications/…
发表于 用户: (2.9k 分)
Use of paragraphs improves readability, understandability and potentially responses: try it.
发表于 用户: (180 分)
The most secure way to store keys on a customer system that I am aware of is using the Windows Data Protection API. Typically you will store the key in an encrypted section of your App.config.
发表于 用户: (120 分)
@RB Thanks for your advise.In that case, I need to use encryption instead of hashing.Is it more secure than hashing?
发表于 用户: (180 分)
It's not that encryption is more secure than hashing - it's that they are fundamentally different. Encryption is two-way (you can get the encrypted value from the plain-text and vice-versa) whereas hashing is one-way (you can get the hashed value from the plain-text, but NOT the other way). Since your application needs to know the password you will HAVE to encrypt it, and the DPAPI is the only secure way of doing that I know of.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...