hi,
i have to store some passwords that my application uses to login database servers. since i need the real password, i cannot use a hash.
i've currently tested 3-DES and RC4, and now i can encrypt and decrypt the passwords.
the problem i see is that the master key i use is hard-coded in my application. maybe that is not safe enough.
is there a better way to do this?? i am mostly worried about how to store the master key.

thanks.

Sorry , i made a mistake and posted this twice.

You can add some obscurity by for instance generating a salt + finger print data of the computer and combine that with the hard coded key.

When you install the app, generate a good random number (let's say 16 bytes) as a salt. Store the salt in the registry. Take some finger print data of the computer, like the hard disk serial number and MAC address (the more, the better).

Hash and/or XOR the hard coded key + salt + finger print data to derive your real encryption/decryption key.

That should be secure enough. maybe...

Good luck.

I don't think the registry keys or in executable strings make it any harder. I can easily see which registry keys you read and which bytes of data in your executable are read. I think the best method is to use a bunch of system constants. System/User SID, MAC, Volume serial, drive size, etc. The disadvantage of this is that if the user gets a new hard drive or network card you won't be able to decrypt your data.

Originally posted by mwilliamson
I don't think the registry keys or in executable strings make it any harder. I can easily see which registry keys you read and which bytes of data in your executable are read.

The salt does not need to be hidden or any such thing. It was purly meant for making dictionary attacks more difficult.

i will try some work based on your suggestions.

thanks a lot.