How to avoid hard-coded passwords?
Posted on 2001-07-22
Hi Security gurus!
I'm in need to develop a project with the following rules:
1) A encrypted file must be sent to a PC, and only can be decrypted in that PC.
2) Although the decryption process is started by another user, there must be NO passwords informed by humans (please, don't ask me why ;-))
- My project is generate RSA key pairs for each PC in the network based on HD serial number or Net card;
- The encryption software is going to generate a encryption key and encrypt the file with Blowfish;
- The software is going to encrypt the Blowfish key using RSA public key of the destination machine;
- The encrypted Blowfish key will be sent in a separated ASCII file together with the encrypted file as a certificate.
Now the problem: To decrypt the file I will take HD serial number and get the machine private key. I know this private key must be saved protected with a strong passphrase, but how ??? My first thought was a strong hard-coded password, but it would prevent myself to let source code to be audited as a good security software must be.
What is your serious opinion about hard-coded passwords ?
Is there any reasonable way to avoid them?
Many thanks in advance,