1

I've been tasked with signing some data with the C# RSACryptoServiceProvider.SignData() Method. In order to generate the public and private key i've used the RSACryptoServiceProvider and passed a keycontainername in order to store the keys safely.

When i run the MSDN example to generate a set of public/private keys on my machine with the fixed keycontainername, the expected public / private keys are generated every time the same.

This will work fine on a single server environment, however, we are operating on an elastic environment where the servers are load balanced. If i encrypt the data with a private key on any one single machine and store this data in through the RSACryptoServiceProvider the data will only exist at the machine level. Each machine will use a different key to sign the data and the user of the public key won't be able to verify the signature.

Is there any way i can store the key safely in a distributed environment?

Thanks

ahammond
  • 325
  • 4
  • 13

1 Answers1

2

There are two that come to mind.

The first is use X509 certificates that contain the private key. You can use the X509Certificate2 class to get an RSACryptoServiceProvider instance that has the private key. The certificate and private key itself would be kept in the Windows certificate store. You can then limit access to the private key through the certificate store to certain accounts. You would then just install the certificate on each machine / AMI that needs it.

Your other option is to use an Hardware Security Module. AWS has a service called CloudHSM that allows you to use a network HSM inside of a VPC (I don't know how well that will work with Elastic Bean Stalk). The HSM vendor, SafeNet IIRC, allows installing a CSP that points to the HSM. You'd then give the RSACryptoServiceProvider a instance of CspParameters that accepts the container and CSP name.

The HSM solution is the most secure, albeit more complex and expensive.

Community
  • 1
  • 1
vcsjones
  • 138,677
  • 31
  • 291
  • 286
  • wow great answer, thanks, i'll have a chat with the infrastructure guys tomorrow and try and implement this. Thanks Again. – ahammond Mar 30 '15 at 21:28
  • @ahammond - Azure also has a similar HSM service called KeyVault, there are also a number of Crypto-as-a-service providers, such as http://www.safenet-inc.com/data-protection/virtualization-cloud-security/crypto-hypervisor-cloud-encryption/ however they may be a bit overkill for a single use... – Erik Funkenbusch Mar 31 '15 at 14:23
  • Thanks @ErikFunkenbusch. We are a primarily AWS infrastructure at the moment. We're still investigating so useful information, thanks for the help. – ahammond Mar 31 '15 at 16:48
  • @ahammond - was just layout out options, wasn't sure if you were on AWS or some other provider. – Erik Funkenbusch Mar 31 '15 at 16:50