Where to Store Encryption Keys MVC Application

牧云@^-^@ 提交于 2019-12-04 10:32:08

问题


I am using a AES encryption/decryption class that needs a key value and vector value encrypt and decrypt data in an MVC3 application.

On saving the record I am encrypting the data then storing in a database. When i retrieve the record i am decrypting in the controller and passing the unencrypted value to the view.

The concern is not protecting data as it traverses the network but to protect the database should it be compromised.

I have read many posts that say dont put the keys for encryption in your code.

Ok so where should they be kept? File system? Another Database?

Looking for some direction.


回答1:


Common sense says, if an intruder gets access to your database, they will most likely also have access to your file system. It really comes down to you. For one, you can try to hide it. In configuration files, in plain files somewhere in file system, encrypt it with another key that is within the application ... and so on and so forth.

Configuration files are a logical answer, but why take a chance - mix it. Feel free to mix keys with multi-level encryptions - one requiring something from the record itself and being unique to every record, other one requiring a configuration value, third one requiring an application-specific value, and perhaps a fourth one from a library hidden well within your application's references? This way, even if one layer somehow gets compromised, you will have several others protecting it.

Yes, it adds overhead. Yes, it is relatively expensive. But is it worth it if you have sensitive data like user credit card details? You bet it is.

I'm using similar encryption and hashing techniques in one of my personal pet projects that is highly security focused and carefully controlled. It depends how much data you need to display at any one time - for example, mine will ever fetch only 10 records at a time, most likely even less.

... To specify what I mean by mixing: Encrypt once. Then encrypt that data again with different key and suggestedly different algorithm.




回答2:


I would use Registry Keys protected by ACL, so only the account under which your app pool is running can read them.



来源:https://stackoverflow.com/questions/10940985/where-to-store-encryption-keys-mvc-application

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!