Apply some sort of hash algorithm to scramble it and store it in a separate database server. Then store the hash key/code to descramble it in your application or application's config files (global.asa, global.asax, web.config, machine.config, etc). Secure the database server so that the scrambled key can only be accessed by the web application server using a particular stored procedure. Then fetch the scrambled key from the database server and descramble it every time you need to use it. That way the actual key never exists anywhere, and in order to figure it out a cracker would have to do the following:
1. Gain all necessary access to web application server. 2. Gain all necessary access to the database server. 3. Figure out that the key is scrambled. 4. Figure out where in your application code the hash key/code is kept. 5. Find the algorithm that descrambles the key. 6. Apply the algorithm to the key using the hash key/code. That's how I would do it. I'm sure someone security expert might find a problem with this approach, but I can't think of one. Any better ideas? > -----Original Message----- > From: Andy and Kim Mills [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 30, 2004 9:35 AM > To: [email protected] > Subject: [ASP] Protecting Encrypition Key > > > Hello All: > > We are in the process of using a Triple DES method to encrypt > all our passwords, credit card numbers, etc. However: we > are stuck on the best method to store our encryption key. We > obviously cannot write it down anywhere (code it into an > application), as that compromises our security. Would anyone > be able to suggest or give some guidence on the best methods > to ensure our encryption key is secured and not able to be > compromised? > > Thanks for any help > Andy > > > > ------------------------ Yahoo! Groups Sponsor > --------------------~--> > $4.98 domain names from Yahoo!. Register anything. > http://us.click.yahoo.com/Q7_YsB/neXJAA/yQLSAA/17folB/TM > -------------------------------------------------------------- > ------~-> > > -------------------------------------------------------------- > ------- > Home : http://groups.yahoo.com/group/active-server-pages > --------------------------------------------------------------------- > Post : [email protected] > Subscribe : [EMAIL PROTECTED] > Unsubscribe: [EMAIL PROTECTED] > --------------------------------------------------------------------- > Yahoo! Groups Links > > > > > > > > > > ------------------------ Yahoo! Groups Sponsor --------------------~--> Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/17folB/TM --------------------------------------------------------------------~-> --------------------------------------------------------------------- Home : http://groups.yahoo.com/group/active-server-pages --------------------------------------------------------------------- Post : [email protected] Subscribe : [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] --------------------------------------------------------------------- Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/active-server-pages/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
