0

[I am new to security so, I apologize if I am asking something obvious]

I am working on making an existing UWP Application to have encrypted local communication over Ethernet (TCP) with an local embedded device. Here's step 1:

Step 1

Step 1 is to have same EC keys securely stored for the UWP application to consume. These keys shall be used to sign the session keys in the further steps.

As you must've guessed by now, these keys should not be available even if someone de-compiles the application and sniff around for them. Almost all the implementation examples I saw recommends using DataProtectionProvider Class to protect these keys at rest. I can't use that class because the private keys needs to be hard-coaded into the application which isn't very good.

Can you please tell me the following:

  1. How can I get the ECDSA keys for loading into the application? I know I can use OPENSSL to generate a keypair but my computer may not have TRNG.
  2. How can I load the private key into the UWP application in a way that I am not hard-coding the private component into the application itself?
  3. After loading the key, what should I do to isolate it from being read by other malicious applications?

Is there any cloud offering from Azure/likes to do this for us?

Thanks in advance!

Teja
  • 41
  • 6
  • 1
    Regarding #3: The computer owner is far more powerful than any installed application. "Isolation" in UWP means protection against Store apps accessing the data, but it still will be visible to desktop apps and side-loaded UWP apps that use desktop APIs. Even if you succeeded in deploying anti-debug that prevented access from desktop apps, the computer owner can still load drivers which operate in kernel mode with no restrictions whatsoever. – Ben Voigt Mar 17 '22 at 15:34
  • Basically, [you lose control of anything you put on someone else's computer.](https://stackoverflow.com/a/4532568/103167) You can store the secret in the cloud and only do operations on behalf of the UWP app instead of letting it download the secrets... but that just moves your problem. Now how do you restrict access to the cloud service without having a secret in the app where the user can learn it? – Ben Voigt Mar 17 '22 at 15:37
  • Exactly! I've reading up on using [Azure Key Vault](https://azure.microsoft.com/de-de/services/key-vault/#documentation) to do this but it requires us to embed the URL and other variables in the code to access the vault itself! This is the classic Chicken and Egg problem. I am clueless as to how to proceed further. – Teja Mar 17 '22 at 15:43
  • 1
    Well, moving the "sign the session keys" operation to a webservice does allow your one-key-to-rule-them-all to remain hidden, and each user merely knows a password for his own cloud account. **That's a much better revocation story than if you allowed the private half of a keypair burned into device firmware to escape into the wild.** That's not achieved with a "Key Vault" though, it's a proxy / agent pattern. And even then, that user's password will work just as well to invoke the cloud service from unofficial software as it does for your official application. – Ben Voigt Mar 17 '22 at 15:48
  • Thank you so very much for giving your insights! I do appreciate it very much. Do you think one-key-to-rule-them-all is a bad idea? If you think that's the case, what would you rather I do to perform ECDH with the Embedded Device and then derive symmetric keys? – Teja Mar 17 '22 at 16:05

0 Answers0