1

I have an application build in asp.net mvc.

This application stores sensitive encryption keys used by various methods.

However, somebody can easily read the security keys i use if they open the application dll using .NET Reflector

My question is:

The only solution of keeping these keys really secure is to use an obfuscation tool?

Are there other solutions?

dot net reflector print screen

Catalin
  • 11,503
  • 19
  • 74
  • 147
  • 1
    those keys should be in the config – AD.Net May 15 '13 at 14:55
  • If somebody can get the application DLL, then they sure can read the web.config file – Catalin May 15 '13 at 14:56
  • I don't understand. Who are you trying to hide the information from? External users? Users inside your organization? It is a web application, nobody outside your organization can even access the dll. – Shai Cohen May 15 '13 at 14:57
  • Possible Duplicate: http://stackoverflow.com/questions/2528405/how-to-safely-store-encryption-key-in-a-net-assembly – Jon Raynor May 15 '13 at 15:00
  • @ShaiCohen: I am trying to hide the information from hackers access :). The application has sensitive data that i can't let it easily be hijacked. – Catalin May 15 '13 at 15:02

1 Answers1

3

You can encrypt and decrypt them using DPAPI (ProtectedData class in .NET).

Since this is a web app, you can even easier and transparently encrypt the web.config or sections of it

See Encrypting Web.Config

Community
  • 1
  • 1
Martin Ernst
  • 5,629
  • 2
  • 17
  • 14
  • I know this is crazy, but if i use DPAPI to encrypt/decrypt web.config file, then the encryption algorithm can be also stolen? – Catalin May 16 '13 at 06:04
  • If you use DPAPI to encrypt the web.config, you can encrypt it so that only the user that your website runs under can decrypt it. This means that for someone to steal your encryption algorithm, they would have to be able to login as the account that your website runs under, and that you can make very difficult – Martin Ernst May 16 '13 at 13:38