I have a desktop application where the user has a library of encrypted ZIP files. The configuration file holds the master password to decrypt these ZIPs. The idea is that the user enters the program password they chose when they installed the application to open the program and that password is used to decrypt the master password stored in the configuration file.

The main point of all of this security is that even if someone had access to the hard disk and user’s Windows account, they still can’t get inside the ZIP files without their password, ideally.

To validate the program password the user typed in I’m using the C# hashing code (converted to VB) from here (at the bottom of the page):

http://crackstation.net/hashing-security.htm

So far so good. We’re only storing a hash of the program password, so a hacker couldn’t read it by looking at the config file.

Now, I’m trying to implement encryption as found here:

http://msdn.microsoft.com/en-us/library/yx129kfs.aspx

Actual Question:

So which of the following gets stored as plain text in the config file to be used to decrypt the ZIP master password at runtime with the program password the user entered?

• The salt used to generate the encryption key (can this be the same as
  the salt used to hash the password as above?)

• The initialization vector (IV)?

• The encryption key? (Probably not…) (k1 in MS’s example)

• The decryption key? (k2 in MS’s example)

In MS’s example, they’ve got the encryption and decryption all jumbled up together… I’ve got a lot of pieces but I don’t know how to put them together…

Update

I’ve read that AES encryption is more secure than the Triple DES encryption MS is using in their example above. Seeing that we’re using AES on the zip files, it would be nice to use AES for the ZIP file password too.

So, how can I combine this AES example:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider.aspx#Y2300

With PBKDF2 to generate the encryption key?