Store private key in cookie?

Bill Belliveau · Bill Belliveau

Greetings,

I am working on an asp.net storefront that requires credit card information
to be stored temporarily on the server. Currently the site will feature
administrative access protected by MD5 and credit card information encrypted
with Rijndael. Retrieving the information will also be secured by SSL.

I've seen the question posed a few times but I have yet to see a definitive
answer. How can I securely store the key/IV? From my readings the general
consensus is, I can't. Using a MD5 password wont work because the customer
would need to have access to the password when the information is initially
encrypted and storing it in the binaries is a poor solution.

I was thinking of using RSA to encrypt the Rijndael key/IV. My
implementation would use the public key to encrypt them and then store the
private key in a cookie on a trusted 'admin' machine. From what I
understand SSL encrypts all traffic including cookies. To write the cookie,
the admin might go to a specific page, paste in the xml key, and click write
cookie. I could encode the cookie if necessary.

Any ideas are appreciated.

Bill

Keith Patrick · Keith Patrick

Storing a key in a file somewhere is generally not a good idea, as you are
not necessarily guaranteed of having correct security permissions on the
drive + any admin could get the key (I'm not a big believer in admins seeing
sensitive information, regardless of their rights). I'm not quite
understanding the architecture of what you are mentioning, but if you want
to store something like that, you could (and please someone correct me if
this is not secure) store it in the session object. If you need to store
the key long-term, XP has an API for storing sensitive information called
the Data Protection API that stores sensitive information in some protected
place in the registry. That should be a valid storage place, as it is
recommended in MS Press' "Writing Secure Code" book.

"Bill Belliveau" <noone@nowhere.com> wrote in message
news:ON7MCjJfDHA.1760@TK2MSFTNGP09.phx.gbl...

> Greetings,
>
> I am working on an asp.net storefront that requires credit card

information

> to be stored temporarily on the server. Currently the site will feature
> administrative access protected by MD5 and credit card information

encrypted

> with Rijndael. Retrieving the information will also be secured by SSL.
>
>
>
> I've seen the question posed a few times but I have yet to see a

definitive

> answer. How can I securely store the key/IV? From my readings the

general

> consensus is, I can't. Using a MD5 password wont work because the

customer

> would need to have access to the password when the information is

initially

> encrypted and storing it in the binaries is a poor solution.
>
>
>
> I was thinking of using RSA to encrypt the Rijndael key/IV. My
> implementation would use the public key to encrypt them and then store the
> private key in a cookie on a trusted 'admin' machine. From what I
> understand SSL encrypts all traffic including cookies. To write the

cookie,

> the admin might go to a specific page, paste in the xml key, and click

write

> cookie. I could encode the cookie if necessary.
>
>
>
> Any ideas are appreciated.
>
>
>
> Bill
>
>

Michel Gallant · Michel Gallant

In fact, CryptoAPI keycontainers automatically make use DPAPI to
protect private key credentials.
Whenever possible, it is good practice to exercise use of available
security infrastructure already provided to you, instead of trying
to "roll your own" infrastructure.
Cheers,
- Mitch Gallant
MVP Security
[url]http://pages.istar.ca/~neutron[/url]

"Keith Patrick" <richard_keith_patrick@hotmail.com> wrote in message
news:%23Dn3d2VfDHA.3464@TK2MSFTNGP11.phx.gbl...

> Storing a key in a file somewhere is generally not a good idea, as you are
> not necessarily guaranteed of having correct security permissions on the
> drive + any admin could get the key (I'm not a big believer in admins seeing
> sensitive information, regardless of their rights). I'm not quite
> understanding the architecture of what you are mentioning, but if you want
> to store something like that, you could (and please someone correct me if
> this is not secure) store it in the session object. If you need to store
> the key long-term, XP has an API for storing sensitive information called
> the Data Protection API that stores sensitive information in some protected
> place in the registry. That should be a valid storage place, as it is
> recommended in MS Press' "Writing Secure Code" book.
>
> "Bill Belliveau" <noone@nowhere.com> wrote in message
> news:ON7MCjJfDHA.1760@TK2MSFTNGP09.phx.gbl...

> > Greetings,
> >
> > I am working on an asp.net storefront that requires credit card

> information

> > to be stored temporarily on the server. Currently the site will feature
> > administrative access protected by MD5 and credit card information

> encrypted

> > with Rijndael. Retrieving the information will also be secured by SSL.
> >
> >
> >
> > I've seen the question posed a few times but I have yet to see a

> definitive

> > answer. How can I securely store the key/IV? From my readings the

> general

> > consensus is, I can't. Using a MD5 password wont work because the

> customer

> > would need to have access to the password when the information is

> initially

> > encrypted and storing it in the binaries is a poor solution.
> >
> >
> >
> > I was thinking of using RSA to encrypt the Rijndael key/IV. My
> > implementation would use the public key to encrypt them and then store the
> > private key in a cookie on a trusted 'admin' machine. From what I
> > understand SSL encrypts all traffic including cookies. To write the

> cookie,

> > the admin might go to a specific page, paste in the xml key, and click

> write

> > cookie. I could encode the cookie if necessary.
> >
> >
> >
> > Any ideas are appreciated.
> >
> >
> >
> > Bill
> >
> >

>
>

Alek Davis · Alek Davis

A minor correction: DPAPI does not store anything anywhere (this is what LSA
functions do); DPAPI just generates user or machine-specific keys and
encrypts/decrypts data using these keys.

It is rather hard to recommend any approach without knowing detailed
requirements of the application and the infrastructure settings (and I
cannot quite figure it out from your description). By the way, you don't
really have to care about protecting IV; generally, IV is not a secret info,
although it will not hurt if you do.

If you want to get some idea about common options, which can be used to
protect application secrets, check this article:
[url]http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx[/url]
(although, I doubt that it will tell you exactly what you need to do in your
particular case).

Alek

"Keith Patrick" <richard_keith_patrick@hotmail.com> wrote in message
news:%23Dn3d2VfDHA.3464@TK2MSFTNGP11.phx.gbl...

> Storing a key in a file somewhere is generally not a good idea, as you are
> not necessarily guaranteed of having correct security permissions on the
> drive + any admin could get the key (I'm not a big believer in admins

seeing

> sensitive information, regardless of their rights). I'm not quite
> understanding the architecture of what you are mentioning, but if you want
> to store something like that, you could (and please someone correct me if
> this is not secure) store it in the session object. If you need to store
> the key long-term, XP has an API for storing sensitive information called
> the Data Protection API that stores sensitive information in some

protected

> place in the registry. That should be a valid storage place, as it is
> recommended in MS Press' "Writing Secure Code" book.
>
> "Bill Belliveau" <noone@nowhere.com> wrote in message
> news:ON7MCjJfDHA.1760@TK2MSFTNGP09.phx.gbl...

> > Greetings,
> >
> > I am working on an asp.net storefront that requires credit card

> information

> > to be stored temporarily on the server. Currently the site will feature
> > administrative access protected by MD5 and credit card information

> encrypted

> > with Rijndael. Retrieving the information will also be secured by SSL.
> >
> >
> >
> > I've seen the question posed a few times but I have yet to see a

> definitive

> > answer. How can I securely store the key/IV? From my readings the

> general

> > consensus is, I can't. Using a MD5 password wont work because the

> customer

> > would need to have access to the password when the information is

> initially

> > encrypted and storing it in the binaries is a poor solution.
> >
> >
> >
> > I was thinking of using RSA to encrypt the Rijndael key/IV. My
> > implementation would use the public key to encrypt them and then store

the

> > private key in a cookie on a trusted 'admin' machine. From what I
> > understand SSL encrypts all traffic including cookies. To write the

> cookie,

> > the admin might go to a specific page, paste in the xml key, and click

> write

> > cookie. I could encode the cookie if necessary.
> >
> >
> >
> > Any ideas are appreciated.
> >
> >
> >
> > Bill
> >
> >

>
>

Store private key in cookie?

Thread Tools

Display

Store private key in cookie?

Similar Questions and Discussions

HTTP::Cookie won't store sent cookie

store sessionID in cookie instead of url?

Cookies set one time, I delete cookie, cookie is never set again!

authentication cookie vs session cookie

Private Fotopages - private Web Galleries WANTED!

Re: Store private key in cookie?

Re: Store private key in cookie?

Re: Store private key in cookie?

Posting Permissions