What Information can be found in every C# application to be used as a unique salt for encryption?

Question

What information can be found in every C# application that can be used as a unique salt for encryption, including for web applications, windows services and wcf layers?

I would like to create a library that allows easy encryption of sensitive data stored in configuration files, using the (DPAPI) System.Security.Cryptography.ProtectedData.Protect() and System.Security.Cryptography.ProtectedData.Unprotect() methods.

The library will also be used by a separate application I'm making that can encrypt and decrypt config values outside of the applications that are using the values, allowing updates to config files without recompiling everything or needing access to the original source, although access to the source should always be available.

The salt must be simple enough to enter manually in the separate application (for instance, a GUID would be difficult to identify).

System.Reflection.Assembly.GetEntryAssembly() appears promising, if that is the assembly of the application/service invoking this library I'm making, I could use something in there. First thoughts were "make the salt the config file name the encrypted data is being stored in...", but for websites the config file is always 'web.config'.

Any other thoughts welcome.

Updates...

'GetExecutingAssembly()'... how does that differ from 'GetEntryAssembly()'?

Answer 1

System.Reflection.Assembly.GetEntryAssembly().GetName().Name...

appears to be the name of the exe or DLL, or more precisely, VS2010 uses the Assembly name as the name for the exe. I'll need to investigate how this works with websites and services.

If my external application that encrypts and decrypts the config values (encrypting app) can also 'peek' at a requested assembly's 'name' (the program using the encrypted config), then any applications using the encrypting library just uses the library without providing salt, and the library can work out the assembly name for itself (of who is calling it) and use that as salt. If a dll or exe gets renamed I have a mechanism to retrieve the assembly name value, built into the encrypting app.

p.s. I'd prefer not to mark my own answer as 'accepted', so refine my suggestion and put it into you own answer and I'll promise to mark one of those as 'accepted' if I get any good ones.

Answer 2

Every application/assembly has a version number, this could be an option.

System.Reflection.Assembly.GetExecutingAssembly().GetName().Version.ToString();