After I posted the CodeProject article .NET Encryption Simplified, a reader asked this question in the comments:
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2006/02/keeping-private-keys-private.html
And about shared enviroment? I’m thinking what the only solution is host my website myself… When we put the website in one ISP I simply cannot sleep at night, thinking WHERE I will store my private keys… I think what the Microsoft can think about this case when develop the next versions of .Net Framework…
But if my application can access the private key when it needs to then can’t everyone’s application access the private key?
Unfortunately, ACLs are your only option:
But what happens if someone finds out the hidden 512 bytes? Bunnie (http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html) did, Christmas 2001. He tapped the bus between the Southbridge (where the secret MCPX code is stored) and the Northbridge (the CPU’s memory interface) where all secret data gets transmitted. The compromise to store the secret ROM in the MCPX instead of the CPU, so that data would travel over a bus, finally broke the system.
And that, in a nutshell, is why the PK is embedded in the CPU hardware on the Xbox 360.
You could remove the PK and store it on a remote server, but that would require the Xbox 360 to be connected to the internet to even boot up… and I don’t think the world is quite ready for a console that refuses to boot until it is connected to the internet.
It would still be theoretically possible to modify the client hardware to do a no-op when it should be authenticating. This might be extraordinarily difficult, though.
It seems to me that Windows should be able to provide us with an internal keystore that can only be accessed by signed assemblies from a specific company. In other words, I sign all of my assemblies with a certificate and then “install” my key using this same certificate. Any application that has not been signed with that same certificate is denied access to the installed key.
Does this type of functionality exist in Windows? If so, where? If not, why?
Very nice. But if my application can access the private key when it needs to then can’t everyone’s application access the private key? It seems like there needs to be an additional layer of protection there someone. How do we perform per-application (or even better, per-company) authentication before letting someone access the private keystore? Or is this what Windows is actually doing anyway?
Here is my other problem… I want to install and configure my program as an Adminstrator. But the user will “hopefully” be running my application as a Limited User. Doesn’t this negate the benefits of protecting with ACL’s?
Sounds like you want hardware-level guarantees of security for a given piece of software. This means you wall off data from other apps and the user.
Eg, Microsoft Palladium or NGSCB, which will be in Vista…
Jeff, that’s exactly what I’m looking for. Thanks!