How encryption keys should be distributed?

TheMSsForum.com: The Microsoft Software Forum

Several software applications needs to encrypt and decrypt data,
requiring either a single key in symmetrical encryption algorithms or
public/private keys in asymmetrical algorithms, but how these keys
should be distributed?
Embed the key(s) within the application executable is a very
vulnerable approach, since an attacker may trace API calls, or run
the
application under a debugger and simply halt the program when the
keys
has been reconstructed.
And what about the risk to distribute the key in every exeucutable
copy embedded within, if some attacker gets this key it can make it
public, and every user of this application may use it to break its
own
installation.

Can anyone give me any suggestion? Or point me in the correct
direction to avoid these problems?
Top

Re: How encryption keys should be distributed? by S

S
Wed May 09 03:30:20 CDT 2007

G'day,

The beauty of public key encryption is that you can send public key over
public channels and still establish secure information exchane - that can be
used to send randomly generated symmetric encryption key (symmetric
encryption is less resource-hungry). Read about public key cryptography at
http://en.wikipedia.org/wiki/Public_key_encryption that is fascinating
stuff.

Practically speaking, SSL is commonly used for the tasks you outlined.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

<mauricio.cadima@gmail.com> wrote in message
news:1178683111.864063.222080@l77g2000hsb.googlegroups.com...
> Several software applications needs to encrypt and decrypt data,
> requiring either a single key in symmetrical encryption algorithms or
> public/private keys in asymmetrical algorithms, but how these keys
> should be distributed?
> Embed the key(s) within the application executable is a very
> vulnerable approach, since an attacker may trace API calls, or run
> the
> application under a debugger and simply halt the program when the
> keys
> has been reconstructed.
> And what about the risk to distribute the key in every exeucutable
> copy embedded within, if some attacker gets this key it can make it
> public, and every user of this application may use it to break its
> own
> installation.
>
> Can anyone give me any suggestion? Or point me in the correct
> direction to avoid these problems?
>


Top

Re: How encryption keys should be distributed? by Michael

Michael
Sun May 13 21:35:51 CDT 2007

What about smart cards? They are becoming inexpensive!

<mauricio.cadima@gmail.com> schrieb im Newsbeitrag
news:1178683111.864063.222080@l77g2000hsb.googlegroups.com...
> Several software applications needs to encrypt and decrypt data,
> requiring either a single key in symmetrical encryption algorithms or
> public/private keys in asymmetrical algorithms, but how these keys
> should be distributed?
> Embed the key(s) within the application executable is a very
> vulnerable approach, since an attacker may trace API calls, or run
> the
> application under a debugger and simply halt the program when the
> keys
> has been reconstructed.
> And what about the risk to distribute the key in every exeucutable
> copy embedded within, if some attacker gets this key it can make it
> public, and every user of this application may use it to break its
> own
> installation.
>
> Can anyone give me any suggestion? Or point me in the correct
> direction to avoid these problems?
>

Top