Store private key in cookie?

[Bill Belliveau]

Greetings,

I am working on an asp.net storefront that requires credit card information
to be stored temporarily on the server. Currently the site will feature
administrative access protected by MD5 and credit card information encrypted
with Rijndael. Retrieving the information will also be secured by SSL.



I've seen the question posed a few times but I have yet to see a definitive
answer. How can I securely store the key/IV? From my readings the general
consensus is, I can't. Using a MD5 password wont work because the customer
would need to have access to the password when the information is initially
encrypted and storing it in the binaries is a poor solution.



I was thinking of using RSA to encrypt the Rijndael key/IV. My
implementation would use the public key to encrypt them and then store the
private key in a cookie on a trusted 'admin' machine. From what I
understand SSL encrypts all traffic including cookies. To write the cookie,
the admin might go to a specific page, paste in the xml key, and click write
cookie. I could encode the cookie if necessary.



Any ideas are appreciated.



Bill

 

[Keith Patrick]

Storing a key in a file somewhere is generally not a good idea, as you are
not necessarily guaranteed of having correct security permissions on the
drive + any admin could get the key (I'm not a big believer in admins seeing
sensitive information, regardless of their rights). I'm not quite
understanding the architecture of what you are mentioning, but if you want
to store something like that, you could (and please someone correct me if
this is not secure) store it in the session object. If you need to store
the key long-term, XP has an API for storing sensitive information called
the Data Protection API that stores sensitive information in some protected
place in the registry. That should be a valid storage place, as it is
recommended in MS Press' "Writing Secure Code" book.

 

[Michel Gallant]

In fact, CryptoAPI keycontainers automatically make use DPAPI to
protect private key credentials.
Whenever possible, it is good practice to exercise use of available
security infrastructure already provided to you, instead of trying
to "roll your own" infrastructure.
Cheers,
- Mitch Gallant
MVP Security
http://pages.istar.ca/~neutron

 

[Alek Davis]

A minor correction: DPAPI does not store anything anywhere (this is what LSA
functions do); DPAPI just generates user or machine-specific keys and
encrypts/decrypts data using these keys.

It is rather hard to recommend any approach without knowing detailed
requirements of the application and the infrastructure settings (and I
cannot quite figure it out from your description). By the way, you don't
really have to care about protecting IV; generally, IV is not a secret info,
although it will not hurt if you do.

If you want to get some idea about common options, which can be used to
protect application secrets, check this article:
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
(although, I doubt that it will tell you exactly what you need to do in your
particular case).

Alek