I have a simple encryption application where I will be encrypting "sensitive" data in a database. Only the people who have access rights can see these data in decrypted form. I have been looking around for more information on how to do that and here is my project approach:
Now, my question is how can I safely store that private key? From what I have been reading, I can obtain the private key using FromXMLString. But, I was thinking that if someone somehow gets the USB file and the XMLFile, he can find the private key by using the FromXMLString similarly. So, how can I protect that file, for example, by using a passphrase? Is there any function in c# i can use for that?
Also, if I change the key pairs, I have to change the public key and re-encrypt the AES key again with the fresh new public key. For that, I found this post How to Generate Unique Public and Private Key via RSA to be quite useful. But, something I am not sure about how the author implemented it. Does he also store the key container name in the private key file? Or the ToXMLString automatically does that?
Thanks~
Save your private key: Under "Actions", next to "Save the generated key", click Save private key. Note: If you didn't passphrase-protect your private key, the utility will ask whether you're sure you want to save it without a passphrase.
A CA's private key should be stored in hardware-based protection, such as a Hardware Security Module (HSM). This provides tamper-resistant secure storage. A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token.
The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.
Somehow, somewhere the decryption key or the RSA
key to get the decryption key has to be kept as plain text. If it's not rather be a USB drive, it has to be in a user's head.
So something that you can do is to have multi-factor authentication. A password which only the user knows (He'll keep it in his head or write it down on a sticky note; not your call) and the USB drive which contains the other decryption key.
So an attacker will have to have both the password and the USB drive to get to the encrypted information.
Have a look on PBKDF2 on how to derive a cryptographically secure key from a password the user enters.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With