This is a Silverlight 4 specific question. Silverlight 5 Beta already addresses this concern by providing ProtectedData and DPAPI access.
This is not a question relating to how to store a users password, for that hashing is the answer.
How do I store a secret in the client, in a way which will not be vulnerable to a memory dump or reflection/decompilation?
Or do you think SSL is secure enough and no further encryption of data is necessary? An example would be a user submitting a password change request, in which old and new password must be sent to the server for the operation. Assume that the data on the server is secure in memory and at rest.
It isn’t ever safe to store your private key on the client… That’s why it’s private 🙂
SSL is 128-bit (minimum) and is much more than adequate for any of your needs. So long as you force SSL. If you’re really concerned, up your SSL bitrate and there you go.
“256 bits is roughly equal to the number of atoms in the universe.”
“Brute force techniques are considered impractical because modern encryption algorithms are 128 to 256 bits long.”
http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204
If the client has the program, there is always a chance to get your stored key if you embed it in.