where to store Key and IV for AesCryptoServiceProvider?

Question

We have a C# (.net 3.5) application. During the installation, we use AesCryptoServiceProvider to encrypted some useful info in the config file. Those info will be decrypted by the application when it is running. So the application needs to know the Key and IV

We are thinking to store the Key and IV byte[] in a secure place on the machine. I know there is a machine store which can store RSA key pair. Can I store the Key and IV byte[] in there? I searched online and read the MSDN doc but cannot find a way to do it.

Do you know how to do it? Do you have any other good idea?

Answer 1

What you are attempting is a crypto violation. Cryptographic keys are commonly stored in plain text in a config file. The IV is commonly stored with the cipher text in your data store. As long as you don't violate CWE-329 you should be golden with this design.

Where all of this breaks down for you is that you are trying to hide cipher text on the same machine as the key. Where is the attacker? If he is already on your machine then he can just fire up a debugger and read the key or plain text in memory. Cryptography cannot address this problem, what you are looking for is Security Though Obscurity (Which isn't a secure solution.).