Solved

Protecting Passwords from .NET Decompilation

Posted on 2004-08-04
4
241 Views
Last Modified: 2010-04-17
I have sensitive information that I want my program to be able to encrypt and store in a file and then decrypt the file and use the information.  However, all encryption algorithms require some kind of password or key themselves.  How can I store this key so that it will be safe from decompilation?  I don't know if my obfuscator actually encrypts strings (I use the free Apose.Obfuscator).  Could I store this key as a resource some way?

Essentially, here is my problem:

string sensitiveData;
EncryptAndStore(sensitiveData, "This is my encryption key");

How can I safely store my encryption key?  If it is hard coded, it can be viewed after decompilation and that is unacceptable.  The user cannot have access to this key.
0
Comment
Question by:thedude112286
  • 2
4 Comments
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11722773
Choose an encryption algoritm who generates a legible crypted data, let say: DKJFH487FHRF
Create a new little project and implement your algorithm
Make your little app to ask you for a string, encodes it and shows you (similar to string above)
Insert this string in your main project
Use the decrypt function to retrieve the string

string sensitiveData = Decrypt("DKJFH487FHRF");

0
 
LVL 22

Accepted Solution

by:
cookre earned 500 total points
ID: 11723431
If run-time input is acceptable, jaime's way is best.

If that's not possible, I'll frequently build the secret phrase at run-time from a series of calculations.  That means there are no plain text strings for hex editors to see.  Granted, someone with the skills to reverse-engineer the executable would eventually crack it, but that's always the case with built-in security and no run-time input.

For example:
// This ghastly chunk of code was done this way to keep the
// compiler from optimizing us down to identifiable stuff
// to a hex editor.
for (idx=0; idx<9; idx++)
    {
    switch (idx)
           {
           case 0: u[idx]=(idx+1)*59 + (idx+1)*38; break;
           case 1: u[idx]=(idx+0)*85 + (idx+0)*16; break;
           case 2: u[idx]=(idx-1)*92 + (idx-1)*28; break;
           case 3: u[idx]=(idx-2)*36 + (idx-2)*74; break;
           case 4: u[idx]=(idx-3)*43 + (idx-3)*72; break;
           case 5: u[idx]=(idx-4)*14 + (idx-4)*98; break;
           case 6: u[idx]=(idx-5)*17 + (idx-5)*94; break;
           case 7: u[idx]=(idx-6)*23 + (idx-6)*92; break;
           case 8: u[idx]=(idx-7)*96 + (idx-7)*20; break;
           }
    }
u[9]='\0';


Another easy way is to use as the decryption key one of the innocuous strings already in the code such as a sign-on or error message.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11723449
Let me clarify, I am proposing the author to develop a little application to generate keys, with a cypher algorithm, not related with the main application. The generated key will be inserted in the main project's code at compile-time.

The decypher algorithm must be inserted in the main application, and will decipher string at run-time, so, if you analize the exe file with an hex editor, your won't find a legible string.

This way you can generate keys for all your projects, reusing the cyphering tool.
0
 
LVL 5

Expert Comment

by:Didier Vally
ID: 11726324
You could code the key in a C/C++ application and access this application from .NET
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
Computer science students often experience many of the same frustrations when going through their engineering courses. This article presents seven tips I found useful when completing a bachelors and masters degree in computing which I believe may he…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now