Encryption/Decryption in .NET

Question

I'm looking for a secure way to encrypt and decrypt a string in a Visual Studio Project (in C#). I found that there is native DES classes, but it's not secure enough. Do you have any suggestions?

UPDATE : OK then, the question is : What's the most secure way to encrypt/decrypt a string without too much hassle (aka having to install external tools, etc. An external library is fine though). And where to put the secret "key" (is compiling the value inside the code secure enough?).

Update #2 If I'm using something like this code to save encrypted string in a config file :

using System.Security.Cryptography;
using System.Security;
byte[] encrypted = ProtectedData.Protect(StrToByteArray("my secret text"), null, DataProtectionScope.LocalMachine);
byte[] derypted = ProtectedData.Unprotect(encrypted , null, DataProtectionScope.LocalMachine);

Is this secure enough? I guess that with the "LocalMachine" parameter instead of "User" parameter, somebody could just write an application in .net, put it on the machine and execute it to decrypt the encrypted string. So if I want it more secure, I'll have to have a config file different for each user? Am I understanding that correctly?

Answer 1

To answer your second question, no, storing the encryption key in the executable, even obfuscated, is not secure at all. It'll keep casual prying eyes out, but not those with an hour to devote to walking through your decompiled source.

Think hard about where to store your encryption key - it looks like that'll be your weak point. And yes, this is a hard problem to solve. The most secure way to store encryption keys is not to - require the user to type a password, or require external hardware, like a key fob.

If you're encrypting contents intended to be read only on a single machine or by a single domain user, consider the Data Protection API (DPAPI) . It takes the encryption key out of your hands - it uses the user's Windows credentials as the key.

I've got a little more detail in another answer here: Persistent storage of encrypted data using .Net

Regarding your second edit ( is DataProtectionScope.LocalMachine good enough? ); this MSDN blog entry summarizes it well:

Setting a scope of DataProtectionScope.CurrentUser encrypts the data so that only the currently logged on user can decrypt it. Switching to DataProtectionScope.LocalMachine allows any process running on the current machine to decrypt the data. This could be useful in a server scenario, where there are no untrusted logins to the machine, but for a general purpose workstation using LocalMachine encryption is almost equivalent to using no encryption at all (since anybody logged in can get at the data).

Answer 2

它也有AES 。

Answer 3

If I read your update correctly, you basically want to conceal some string constant from a sysadmin snooping around your assembly.

There is no way to make it impossible that someone with too much time extracts your string constant eventually. But you can annoy them, hoping that they give up trying before they unmask your secret.

One way to achieve that are Obfuscation Tools . These obfuscate your compiled assembly as much as possible, making it much harder to follow program flow when decompiling it with Reflector. Try it. If your string constant is still not hidden enough, you can additionally invent your own scheme to make it harder to find.

If you need more security, the almost only option is to not give the relevant parts of the code to the user. Create a web service that contains the secret parts of your application and secure the connection with SSL/TLS.

Answer 4

尝试使用AesManaged 。

Answer 5

That depends on your definition of secure enough. You may use triple DES. .Net also has native Rijandel class. Is it secure enough? http://www.obviex.com/samples/Encryption.aspx

Answer 6

Using a well tested and accepted library is a good idea too...

http://www.bouncycastle.org/csharp/