RE: Encryption Key Question

  Hard coding encryption keys into applications is *extremely* poor
practice.  The possibility of extracting the key from the binary is
only one of the problems with this approach.
  We have an application here which is coded that way.  One of my
concerns has to be that every copy of this application at every
customer site uses exactly the same hard-coded key, so the security
of our data can never be much more than that of the application's
LEAST secure customer site.

David Gillett


> -----Original Message-----
> From: David Heise [mailto:dheise@gmail.com]
> Sent: Friday, February 25, 2005 4:57 PM
> To: security-basics@securityfocus.com
> Subject: Encryption Key Question
>
>
> I have a situation which seems to be an endless loop but maybe someone
> out here can help me. I'm using SHA-256 has my hash function and AES
> as the encryption method. I have a byte array of data and a string
> that is the passphrase (currently the string is 306 characters long).
> I hash the passphrase and use it to encrypt the data. Since I'm
> writing this as part of an application I want to hardcode the
> passphrase into the application, however as a string it would be
> fairly simple to find it in the complied code.
>
> Here's my question:
> What is the best method of storing this passphrase internally in the
> application such that it would be as secure as possible?
>
>
>
> Unrelated Question:
> Is there any security hole in using the data as the key? (other than
> it makes it hard/impossible to get it back out)
>
>
> Thanks
> -- 
> David B Heise [dheise@gmail.com]
> http://students.cs.byu.edu/~dheise