I was just wondering about the following scenario: I have a certificate containing a private key in my Windows certificate store and would like to use it for signing stuff. Is it possible to let Windows do this, so that I do not need to make the private key accessible (like in TPM)? In case I really must make the private key accessible, how can I protect it from being accessed by other (potentially malicious) applications? Having a separate user account?
Thanks
Related
Currently, I have developed two desktop applications, one is C++ another is C#. The certificates have been stored in eToken and marked as non-exportable
I would like to get the private key from eToken through PKCS#11 library and transform or copy the private key into memory stream or byte array structures, and then pass the key object to the third party cryptography API (BC/OpenSSL) for data encryption/decryption.
How can I view or get the private key from the eToken which marked as non-exportable?
You can't extract a private key marked as non-exportable from your token and that's why is used. If you need to perform some operation you must send data to the token and then retrieve the result.
At least you could read the certificate inside the USB using the X509Store class (C#)
I've been tasked with signing some data with the C# RSACryptoServiceProvider.SignData() Method. In order to generate the public and private key i've used the RSACryptoServiceProvider and passed a keycontainername in order to store the keys safely.
When i run the MSDN example to generate a set of public/private keys on my machine with the fixed keycontainername, the expected public / private keys are generated every time the same.
This will work fine on a single server environment, however, we are operating on an elastic environment where the servers are load balanced. If i encrypt the data with a private key on any one single machine and store this data in through the RSACryptoServiceProvider the data will only exist at the machine level. Each machine will use a different key to sign the data and the user of the public key won't be able to verify the signature.
Is there any way i can store the key safely in a distributed environment?
Thanks
There are two that come to mind.
The first is use X509 certificates that contain the private key. You can use the X509Certificate2 class to get an RSACryptoServiceProvider instance that has the private key. The certificate and private key itself would be kept in the Windows certificate store. You can then limit access to the private key through the certificate store to certain accounts. You would then just install the certificate on each machine / AMI that needs it.
Your other option is to use an Hardware Security Module. AWS has a service called CloudHSM that allows you to use a network HSM inside of a VPC (I don't know how well that will work with Elastic Bean Stalk). The HSM vendor, SafeNet IIRC, allows installing a CSP that points to the HSM. You'd then give the RSACryptoServiceProvider a instance of CspParameters that accepts the container and CSP name.
The HSM solution is the most secure, albeit more complex and expensive.
I am using the RSACryptoServiceProvider and C#. I have a web server (A) that will be encrypting data and storing it in a database. I have another server (B) that will be reading the encrypted data and decrypting it. The private key will only ever live on server B.
I would like to limit private key access to my application and a very short list of domain users.
What is the best way to store the key so that it is safe from compromise by an unauthorized person?
You can use Windows RSA Key containers to store the key. The key can be installed / created by the aspnet_regiis.exe tool that ships with the .NET framework.
Here is a walkthrough.
The two options to look out for are:
-pi (installs a key to the RSA container)
-pa (managements permissions for the key)
How can I achieve the equivalent of setting the "strong private key protection" checkbox in certmgr.msc when adding an X509Certificate2 programmatically using C#?
You will have to setup the X509KeyStorageFlags accordingly when importing the certificate (i.e. MachineKeySet and UserProtected).
I'm trying to figure out if there is any way to have a .NET client use a client certificate without involving the Windows keystore in any way.
I have a code snippet like this:
test1.Service s = new test1.Service();
X509Certificate c = X509Certificate.CreateFromCertFile(#"C:\test.pem");
s.ClientCertificates.Add(c);
int result = s.TestMethod();
However, this only works if I also have the certificate referenced in "test.pem" installed in my certificate store. I assume this is because the key is necessary for the negotiation. If I don't have the cert/key in the store, the cert is not sent with the request.
What I want to do is be able to provide both the certificate and private key from a file or files and not involve the Windows certificate store in any way.
Is there any way to do this?
I'm going to post an answer to my own post, but will leave it open to see if others can solve it different.
Basically, I'm punting. If you have a PKCS12 file (with both key and cert in it) you can use the X509Certificate2 class to load that file and use it, and it won't interrogate the keystore.
I could not find a way to do this with flat PEM key and cert files (like what you'd need with Python, for example).