Improving Web Application Security: Threats and - CGISecurity

176 Part III: Building Secure Web Applicationsprivate int GetLargestSymKeySize(SymmetricAlgorithm symAlg){KeySizes[] sizes = symAlg.LegalKeySizes;return sizes[sizes.Length].MaxSize;}private int GetLargestAsymKeySize(AsymmetricAlgorithm asymAlg){KeySizes[] sizes = asymAlg.LegalKeySizes;return sizes[sizes.Length].MaxSize;}Key StorageWhere possible, you should use a platform-provided encryption solution that enablesyou to avoid key management in your application. However, at times you need touse encryption solutions that require you to store keys. Using a secure location tostore the key is critical. Use the following techniques to help prevent key storagevulnerabilities:● Use DPAPI to avoid key management.●●Do not store keys in code.Restrict access to persisted keys.Use DPAPI to Avoid Key ManagementDPAPI is a native encryption/decryption feature provided by MicrosoftWindows 2000. One of the main advantages of using DPAPI is that the encryptionkey is managed by the operating system, because the key is derived from thepassword that is associated with the process account (or thread account if thethread is impersonating) that calls the DPAPI functions.User Key vs. Machine KeyYou can perform encryption with DPAPI using either the user key or the machinekey. By default, DPAPI uses a user key. This means that only a thread that runs underthe security context of the user account that encrypted the data can decrypt the data.You can instruct DPAPI to use the machine key by passing theCRYPTPROTECT_LOCAL_MACHINE flag to the CryptProtectData API. In thisevent, any user on the current computer can decrypt the data.The user key option can be used only if the account used to perform the encryptionhas a loaded user profile. If you run code in an environment where the user profile isnot loaded, you cannot easily use the user store and should opt for the machine storeinstead.