开发者

Exchanging secure data between exe and Service

I have a windows exe which has to write some secure data to HKEY_LOCAL_MACHINE (HKLM). I also have a service running as NetworkService account which has to read that secure data. Note that exe and service run as different users.

Problem h开发者_StackOverflow社区ere is with securing the data. I tried with CryptProtectData, but the problem is that service cannot decrypt because the data was not encrypted using NetworkService account. I don't want to use CRYPTPROTECT_LOCAL_MACHINE flag while calling CryptProtectData as any user can decrypt it and essentially making it unsecure.

I am guessing that this is a common use case, but unable to find any solution. Any ideas please?

FYI, i am using visual C++ to write the exe and the service.


You're trying to use the registry as an inter-process communication (IPC) mechanism and you're finding that it's not very elegant.

A better architecture for what you're looking for would be to handle the encryption / decryption totally within the service and use a real IPC mechanism (TCP sockets, mailslot, etc) to transfer the data from the EXE to the service for encryption.

Edit:

The registry doesn't sound like the right place for this data, encryption aside. Putting on my "sysadmin hat" I'd much rather have your data in the filesytem than in the registry. Using the registry as a store-and-forward queue mechanism gives me the willies.

Insofar as cryptographic architecture I think you'd be best served using assymetric encryption. Let the EXE encrypt the data using the service's public key. The service can decrypt the data with its private key.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜