0

I need to create a NuGet package, that provides encryption and decryption for plain text. So I created a sample class which has 2 methods for encryption and decryption and hardcoded the input string and generated key and IV using Random number generator.

My question is, If I create the package, with this class file, How can the client application know the key?

The client application will send the input string, and my NuGet package should encrypt that send the base64 encoded string to the client application, and the client app has to have the same key to decrypt that text. I am a little bit confused on how the key should be shared.

Please help.

Irshad Ahmed Akhonzada
  • 1,340
  • 13
  • 23
Techno
  • 142
  • 4
  • 23
  • It might be that you misunderstand the concept of software packages. Because your question makes no sense. – rustyx Oct 01 '18 at 17:41
  • Voted as too broad. How to perform key management is a topic all onto itself, and if it would be on topic, it would on topic at security.stackexchange.com, not here. – Maarten Bodewes Oct 01 '18 at 17:59
  • There is no problem for your package - both encrypt and decrypt should take a key as parameter. And it could provide a GenerateKey(). The problem is how/where the client should store the key. – bommelding Oct 05 '18 at 12:06

1 Answers1

0

It is probably a good idea to not hardcode the key, but to allow it to be configured. You can add it as a parameter to encrypt and decrypt methods. Additionally you can add a method that generates a key using Secure PRNG.

Be very careful with the generation. Ordinary random number generator is not enough for security since it's too predictable. It is not immediately clear from your question which is it that you use, but you can read more details in this question.

After generating the key it is a good idea to supply it to all your application via configuration or something like that. .NET has a very clumsy way of configuring secure storage inside web.config but it is possible to do. Alternatively you can find a secure storage of your choosing like e.g. Azure KeyVault or something similar.

Ilya Chernomordik
  • 27,817
  • 27
  • 121
  • 207
  • May be I am not clear in my question, I have a separate function to generate key using cryptorandomgenerator, and my encrypt/decrypt methods have the parameters 1.data, 2.key, 3.iv. But I am calling that randomnumber method from Main() and passing the key to these functions, I am calling these encrypt/Decrypt functions from Main() and passing all the values from Main(), so if client app uses my nuget package, How can they pass the key, since I have random number generator in my code.. – Techno Oct 01 '18 at 16:12
  • You will need to generate the key and IV and store them somehow so that they can be reused by both applications. I am not 100% sure I do understand your question fully now. – Ilya Chernomordik Oct 01 '18 at 16:50