How to Secure a key???

vinnie881

Well-known member
Joined
Sep 3, 2006
Messages
152
Programming Experience
3-5
I have a app where the user needs to enter a Registration Code to register.

The Code when decoded will tell the computer the current date and time of the key creation along with a few other things that will validate the software.

The issue is my Encryption is symetric using tripple des for the code, and my key is MD5 hashed, but where would I store my key so it's secured.

Since I must decode the Registration Code via the applciation, I need to store my key accessable in the app itself (I think), but this means anyone with a hex editor or a assembly de-assembler can go in and find my hashed key, making the sucurity highly vulnerable/Useless.

What is the correct methodolgy for this?? I don't see anyway around storing the key to decode the registration code anywhere but in the app.

Thanks!
 
Best answer

Here is a answer I found on Expert-Exchange
PowerIT:1: Depends on the key length you have choosen: 112 or 168 bits.
With 168 bits (or 3TDES effective security 112 bits due to the existing meet-in-the-middle attack) your data is relative safe. See further.
With 112 bits (or 2TDES with effective security of 80 bits due to the existing meet-in-the-middle attack) it's less safe.

There is known attack on 3TDES. This attack is highly parallelizable and verges on the practical, given billion-dollar budgets and years to mount the attack. [see http://en.wikipedia.org/wiki/Triple_DES ]
2TDES is less safe, but it would still need massive budgets and time to be cracked. That's why it still widely used in electronic payment transactions.
Corrently the lifespan for DES is estimated on 22 hours, 2TDES 10 years, 3TDES tens of thousands of years or thousands of machines during many years.
The algorithm itself has not been cracked. So for all practical means: your data is safe with 3DES, altough 3DES is being replaced by AES in high secure environments.

2:
- Storing the the key on a thumbdrive and handing them out to authorized users is not a bad idea, if they protect them with their life ;-) . That's the main problem: thumbrives are easily lost or stolen. And the key must be protected at all cost.
So what about using a thumbrive which is itself encrypte?. That way you can also have a seperate password for each drive. Be sure to use a thumbdrive which does not store it's own key on itself and don't protect it or uses an electronic unlocking mechanism without encryption or uses a seperate PC application which can be easily debugged, because thats to easy to break. Also most fingerprint activated thumb drives have one of those vulnerabilities.
Examples of unsafe so called 'safe' thumbdrives which are easy to crack: Secustick, USB-secured.
Example of currently uncracked safe thumbdrives: Ironkey, but also every other thumb drive out there on which you create a Truecrypt volume (www.truecrypt.org). And store the key in the Truecrypt volume, of course.
- The most secure method is never storing the key. You can therefore derive the key from a password. The .NET framework has some password-derived key classes to help with that. The key is then derived through a mathematical metod based in the password.
- The third solution is using dedicated hardware for key storage, like card based system. Although you'll have to learn their API and implement it in your application.
- And a fourth solution would be to write some code which would use DPAPI (ProtectedData in .NET) to encrypt the key for you and write it to file. This adds some maintenance because that DPAPI is machine-specific. You would have to import the key into each machine because the encryption output on each of them would be different. DPAPI also supports User and Machine modes. User mode would be more secure because the decryption of the key would be user-specific, but then you have to make sure that the application which needs the key is running under that user's context.

J.

So in essance, a symetric key can always be cracked if you know how it is created.

Even though my key is hashed with numerous itterations both in md5 ans SHA1, if someone knows the original keyPhrase and is able to duplicate the process of creation (How it is hashed and how many times), then the key can be re-created.


Any other insight to this post would be great!
 
Back
Top