Have been reviewing some symmetric cryptography approaches I've seen a lot of examples that hard code a private static variable in a class, usually something along the lines of:

string key = "THISISYOURENCRYPTIONKEY!"

and then somewhere further down, the code uses it for encrypting/decrypting.

Putting aside the correct implementation/algorithm/strategy as well as where to store it, I have one simple question. What should the value of my key be? I.e. how do I generate it? Most of the examples I see either use some random sentence they just made up, or use a .net class that generates a byte array with a cryptographically secure random number generator that returns byte[]. What do I do with it byte[]? I would assume it shouldn't be a byte array but an actual string that I can save somewhere (and probably not at the top of my class).

Could someone clear up some of the basics for me?

Thanks!

for symmetric encryption algorithms most often need a binary array as a key. It raises the following questions:

• how to get the binary data for the key?

The key should be random. If it is not random, it is easier to figure out by others. Unfortunately, it is not that trivial to generate random numbers by a computer. Simple random generation algorithms are cyclic, whit a quite short cycle, so it is easy find the segment used for key. Sometimes they try to get some input from the real world as a parameter to generate the random, like the time (predictable, not safe) some data from the hard drive, data from network, have the user to type something, etc. These are more or less predictable things. It is also possible to buy devices designed for this purpose, these have a strong algorithm with a very well stored seed value, or they have some kind of particle detector because these particles hit the device randomly. The point is, the key must be unpredictable if it is possible.

• do you need to store the key?

in case of symmetric encryption, the same key is used for encryption and decryption. So if the data is to be decrypted, then the key must be used at least for a second time - so it must be retained somehow. Retaining a key is dangerous, because others might get it. Saving a key to the hard drive? It works for very simple systems, but very easy to find the key. Windows provides key storage providers, and many implementations are available. Simple implementations store the key on the harddrive, but it is encrypted with another key - but of course the key is stored on hardrive otherwise windows wouldn't be able to decrypt the keys for you. It is possible to set up the system in a way that it gets the "main" key during boot, so an administrator must type it, then the key is stored in memory - but the administrator has to remember the "main key", maybe it is written down to a paper in his walet :) You also can buy devices designed to store keys, these have very sophisticated mechanisms to store the keys safely, using chips designed to do exacly this. These devices usually can do the encryption/decryption, so the key does't have to leave the device - only when it must shared, which is inevitable in case of symmetric algorithms. So it is a large topic, one can spend a fortune to protect the keys, others are just happy using Windows key stores.

People cannot remember 32 byte hexa arrays, this is one of the reason why key derivation algorithms invented. These get an input text and generate pseudo random data from that. Of course, this data is not as secure as a true random key. You can use rfc2898derivebytes in .net.

• do you need to use the key many times?

It depends on you use case, but best to avoid using a key many times. Communications protocols agree on a new symmetric key during the handshake and change the key after a while even they are still connected. This is because using the key for long time means that the key is present longer time (means more time to steal it) and produces more data which is a good input to analyze it and try to figure out the key. Also, if you encrypt everything with a single key, it is enough to get a single key to steal all the data. If there are more keys, only part of the data is danger if a key becomes known. One time pad encryption is the only encryption which cannot be decrypted based on statistical analysis. In that algorithm, every bit of the key is used only once.