Encrypt / Decrypt XML

[merkin51]

I have built a windows based form (VS2005 using VB.net 2.0) which is basically a questionnaire program - users fill in a series of text boxes and checkboxes and can then print off a report. The user can also save their progress to come back to at a later time; instead of going down the database route, I keep track of all the control values in a dataset, then read that that dataset into an XML file when they save. It's a simple case of reading the XML file back in and updating controls when they load it at a later date (the XML file is basically their saved document in their eyes).

This all works absolutely fine, except I've now been asked if I can encrypt the data that goes into the XML file - some of it is sensitive to the user. Any unscrupulous nosey parker who knew what they were doing could easily find the XML file and open it in notepad, for example. To be honest I'm currently struggling with this! I followed this guide:

http://www.devx.com/dotnet/Article/21564

Which does the trick nicely, the XML file is completely encrypted when saved, and I can decrypt it when it's loaded back in. However, this only works if the application (hence session) is kept open. If you save your progress, close the program, reopen it and try and load I get a "bad data" error, which I'm pretty sure is because a new tDES key is generated each time the program starts so obviously the decrypting doesn't work. I can't work out how to use the same key every time the program starts... it'd be absolutely fine if they key was embedded in the code, I'd be happy with that, but I can't work it out.

Does anyone have any ideas? Any other ways I should look at doing this?
TIA,
Tim

 

[JohnH]

You need to store the key somewhere. I would use an application user setting. The article has suggetion in "Storing the Key" section.

 

[merkin51]

You need to store the key somewhere. I would use an application user setting. The article has suggetion in "Storing the Key" section.

Bearing in mind I'm a beginner, to me the solution in the "Storing the key" part of the article doesn't make since, due to the fact that the tDES key in their solution changes each time the application runs. So the key that's stored in the text file is obsolete as soon as the first instance of the program is closed. Have I got the wrong end of the stick there??

I'd be happy just storing the key in a constant or variable, this isn't some major distribution application. What I can't work / find out is how to then use that key in place of the random key generated by the tDES call.

 

[JohnH]

The Key property of TripleDESCryptoServiceProvider instance is what they saved, this property is read/write so you can get the saved value and put it into a new TripleDESCryptoServiceProvider to give it the original key. The initialization vector IV is equally important, dunno why article didn't mention it.

From help documentation:

The symmetric encryption classes supplied by the .NET Framework require a key and a new initialization vector (IV) to encrypt and decrypt data. Whenever you create a new instance of one of the managed symmetric cryptographic classes using the default constructor, a new key and IV are automatically created. Anyone that you allow to decrypt your data must possess the same key and IV and use the same algorithm.