where are encryption key's stored?

Question

I'm new to cryptography . I've read that symmetric and asymmetric algorithms use one and two encryption keys respectively . and these keys must be stored somewhere safe . but when I searched the web to find tutorials about how to do encryption in asp.net I found something strange to me ! for example this tutorial .

there is no public or private key stored or supplied when encrypting or decrypting data ! I can't understand .

another problem I have is that all tutorials I've found till now just are codes without any explanations about what are these codes and why are used . I appreciate any good tutorial suggested .

Answer 1

From RSACryptoServiceProvider Constructor:

If no default key is found, a new key is created.

This constructor creates an Exchange key pair suitable to encrypt session keys so that they can be safely stored and exchanged with other users. The generated key corresponds to a key generated using the AT_KEYEXCHANGE value used in the unmanaged Microsoft Cryptographic API (CAPI).

So it is just generating a new key pair if it cant find one that was created already; you should not use this other than for session based data.

 

A little background (I'm assuming your using Windows), Asymmetric key pairs are associated with certificates. These certificates are what you use to place trust on asymmetric keys. Every certificate can be signed by a certificate authority (who is the authority which issues the asymmetric keys), if you trust the certificate authority, then you trust the asymmetric keys which belong to a certificate signed by that authority. All these certificates are stored in your "Certificate Store", aka "Key Store" (Java), "Key Ring" (Mac).

You can view your certificates by doing Start > Run > certmgr.msc. Your certs are under Personal > Certificates. If you open one up, and go to the Certificate Path tab, you will see the certificate chain up to a certificate authority. If that "root" certificate, which belongs to the certificate authority, is found in your Trusted Root Certification Authorities > Certificates store, then the certificate is considered valid and trusted.

If you want to encrypt something for a user, you should go into his certificate store, and pull out his encryption certificate. To do this, you should open up the "Current User's" key store, and iterate through all the certificates in there, and pick out the ones with the key usage of "Key Encipherment", and if more than one, ask the user's which he wants to use.

If you want to encrypt something using a service account (for example if you were a web server) you should use certificates found in the "Local Machine" key store, and only grant your service account read access to the private key associated with the certificate you want to use.

This can be done using X509Store Class, for example:

X509Store certificateStore = new X509Store("MY", StoreLocation.CurrentUser);
X509Certificate2Collection allCertificates = certificateStore.Certificates;
//Iterate through all certificates

"MY" represents personal certificates, the rest can be found here. CurrentUser represents user keys, the other option is LocalMachine.

Once you have the certificate you want to use, you should use the public key for encryption, and the private key for decryption, in conjunction with a symmetric key. So if you had a big set of data you wanted to encrypt, what you would do is:

1. Get certificate
2. Pull public key from certificate
3. Generate symmetric key (AES)
4. Encrypt data with symmetric key
5. Encrypt symmetric key with public key
6. Store encrypted symmetric key with the encrypted data, along with an identifier (Serial Number) for the certificate you used to encrypt

When you decrypt you should:

1. Read serial number from encrypted data
2. Pull certificate, from key store, with that serial number
3. Pull private key out of that certificate
4. Decrypt symmetric key with that private key
5. Decrypt data with that symmetric key
6. Use data

I have a bunch of code samples which accomplish this if you would like to take a look, just let me know which section you need help with.

That was probably a little confusing, so let me know what you want clarified.