What are the best practices, for doing this in .NET?
My problem is, I want to interact with a webservice, I have created. To make sure no “creative” user, can abuse the service, I want to encrypt the argument (the output is sensitive).
I thought I was being clever, by using webservices, instead of having my application go directly into our DB, but I am apparently not clever enough, to know what to do with the key.
So, how do I store the key, I encrypt the argument with, in my locally installed application?
I would, of course, like to prevent “creative” users, from being able to retrieve it.
I suppose I could feed the key, from a webservice instead, but I don’t really see any benefits to this. People can still just invoke the service, and get the key.
TL;DR
Generally speaking, how do I handle encryption/decryption keys in .NET, when everyone can decompile the code, and get the key (if it is stored in the code)?
A simple way is to store the key in configuration, then encrypt the configuration file (either
web.configorapp.config) – details are here.Another approach is to secure the link to the Web service using a certificate, and embed the certificate into the application as a resource. This would then stop very creative users from using e.g. Wireshark to read the traffic going to and from the service. Details on that are here.