I need some advice on a school project I am working on. I am making an AES app for encrypting data in some files. Now these files can be accessed by many people.
For the AES key, I was thinking of using RFC2898DeriveBytes to get an encryption key from a passphrase. MSDN has some good tutorial on how to use it. Now, my problem is Where and how to store that key?
I wanted to store the key in a file in a flash drive, but if there are many users, then how to write the key to many flash drives at the same time? (A computer can have only a limited number of ports). Also, lets say I have a new user who should have access rights to some file, how do I write the key to his flash drive?
It really depends on the goal of your application.
If the intent is to encrypt the data such that any user of your applicaiton can access it, then it is more appropriate to embed the key (or, even safer, data from which to derive the key) in the application itself.
If access is to be restricted on a per user basis, then the key (or data from which to derive the key) will need to be stored on a per user basis (so that it is only available to authorized users).
A couple tips on using embedded security data:
break the data up into pieces that can be pulled from various places within the application. Use a custom algorithm to assemble the data.
it is much safer to embed data from which to derive your key than to embed the key itself. If a hacker uses a binary editor and finds your key intact in the application, it will be much easier to decrypt the files. If the same hacker finds the data from which to derive the key, he still must determine the algorithm you’ve used to derive the key from that data before it would be usable.