If you are building a custom application, and interoperability isn't a concern for you, the following might work: Basically, you want some kind of strong password-oriented protection for the secret key. So, you prompt the user for a password/passphrase. Compute a hash of the passphrase. Use the hash value to run a symmetric cipher that encrypts the key, using one of the stream-style modes. Save the IV along with the encrypted data. The saved data structure should include a header that tells your app what block cipher and hash function it uses, (if you consider using different functions), the IV, the length of the encrypted stream, and the encrypted stream itself. Different protocols use different variations on this theme, even MS CryptoAPI. Unless you are using some kind of specialized hardware, this is about as good as it gets. The security relies on choosing a secret passphrase, the strength of the block cipher, and collision resistance of the hash function. RFC 2440, section 3.6 has some detailed recommendations for creating good encryption keys from a text string.
HTH, Jonathan ----- Original Message ----- From: "Gabriel Dos Santos" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 22, 2003 11:26 AM Subject: Storing keys > Hi, I'm working with crypto++ 5 on Windows 2000 and 98. So far, I've been > able to successfully encrypt/decrypt session keys and sign/verify files > using RSA public key. I've generated the key pair once and saved it to a > file. This is good for testing but in real world I must store private keys > in a secure way. Does Crypto++ support any key store functionality? If not, > any idea about how to accomplish this will be higly appreciated :-). As far > as I know Microsoft's Crypto API stores keys in their own format so I can`t > use their CSP to store key. I'm I right? > Thanks in advance, > > Gabriel > > _________________________________________________________________ > Charla con tus amigos en l�nea mediante MSN Messenger: > http://messenger.yupimsn.com/ > >
