Storing authentication keys in windows key container

0 votes
asked Apr 17 by mwgevans (180 points)

I would like to generate and store the private authentication key for an SFTP connection securely. I would then like to display the public key for copying and pasting into the sftp server. I am unclear where the keys are stored in your examples, and if they are secure.

Any help or advice appreciated!

Applies to: Rebex SFTP

1 Answer

0 votes
answered Apr 17 by Lukas Pokorny (93,630 points)

Our examples use private keys stored in password-encrypted key files. A public key can either be retrieved from a decrypted private key file, or kept separately in an unencrypted form.

An alternative to this would be to use Windows private key storage. This makes it possible, for example, to generate and store a private key that cannot be exported from the key storage.

However, Windows private key storage is somewhat complicated to work if the private keys are not associated with X.509 certificates. X.509 certificates are seldom used with SSH, but using dummy certificates (that would essentially only serve as a metadata for SSH keys) might actually be a suitable approach. If you are interested in this, please let us know.

commented Apr 17 by mwgevans (180 points)
Hi, I had hoped to use the windows private key storage as outlined in this MS post.
https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-store-asymmetric-keys-in-a-key-container
This seems to allow me to create and retrieve keys relatively easily, but then it reaches the edges of my knowledge with keys - how to present the public key for passing to an SSH server and how to use the private key with your modules!
commented Apr 18 by Lukas Pokorny (93,630 points)
Thanks for the clarification! Storing and retrieving Windows private key storage keys is in fact quite simple. However, related tasks are more complicated: 1) To enumerate private keys, P/Invoke to native API is needed (see https://security.stackexchange.com/a/102923). 2) In order to retrieve a public key corresponding to a private key, you would have to acquire the private key first, which is undesirable. 3) As far as we know, there is no way to keep metadata with the private key in the store. A custom database seems like the best solution.
commented Apr 18 by Lukas Pokorny (93,630 points)
However, presenting these keys to an SSH server is straightforward - to create an instance of SshPrivateKey class (used by Rebex SFTP/SSH at the client side) from RSACryptoServiceProvider, just call the appropriate constructor: new SshPrivateKey(rsa)

To display the corresponding public key for copy&pasting to the server, retrieve the public key from SshPrivateKey and format it as required - check out https://www.rebex.net/sftp.net/features/private-keys.aspx#ssh-keygen for sample code suitable for adding the key to OpenSSH servers.
commented Apr 18 by mwgevans (180 points)
Thanks for the pointers - that gives me something to play with!
...