Solved

Protecting Passwords from .NET Decompilation

Posted on 2004-08-04
4
240 Views
Last Modified: 2010-04-17
I have sensitive information that I want my program to be able to encrypt and store in a file and then decrypt the file and use the information.  However, all encryption algorithms require some kind of password or key themselves.  How can I store this key so that it will be safe from decompilation?  I don't know if my obfuscator actually encrypts strings (I use the free Apose.Obfuscator).  Could I store this key as a resource some way?

Essentially, here is my problem:

string sensitiveData;
EncryptAndStore(sensitiveData, "This is my encryption key");

How can I safely store my encryption key?  If it is hard coded, it can be viewed after decompilation and that is unacceptable.  The user cannot have access to this key.
0
Comment
Question by:thedude112286
  • 2
4 Comments
 
LVL 55

Expert Comment

by:Jaime Olivares
Comment Utility
Choose an encryption algoritm who generates a legible crypted data, let say: DKJFH487FHRF
Create a new little project and implement your algorithm
Make your little app to ask you for a string, encodes it and shows you (similar to string above)
Insert this string in your main project
Use the decrypt function to retrieve the string

string sensitiveData = Decrypt("DKJFH487FHRF");

0
 
LVL 22

Accepted Solution

by:
cookre earned 500 total points
Comment Utility
If run-time input is acceptable, jaime's way is best.

If that's not possible, I'll frequently build the secret phrase at run-time from a series of calculations.  That means there are no plain text strings for hex editors to see.  Granted, someone with the skills to reverse-engineer the executable would eventually crack it, but that's always the case with built-in security and no run-time input.

For example:
// This ghastly chunk of code was done this way to keep the
// compiler from optimizing us down to identifiable stuff
// to a hex editor.
for (idx=0; idx<9; idx++)
    {
    switch (idx)
           {
           case 0: u[idx]=(idx+1)*59 + (idx+1)*38; break;
           case 1: u[idx]=(idx+0)*85 + (idx+0)*16; break;
           case 2: u[idx]=(idx-1)*92 + (idx-1)*28; break;
           case 3: u[idx]=(idx-2)*36 + (idx-2)*74; break;
           case 4: u[idx]=(idx-3)*43 + (idx-3)*72; break;
           case 5: u[idx]=(idx-4)*14 + (idx-4)*98; break;
           case 6: u[idx]=(idx-5)*17 + (idx-5)*94; break;
           case 7: u[idx]=(idx-6)*23 + (idx-6)*92; break;
           case 8: u[idx]=(idx-7)*96 + (idx-7)*20; break;
           }
    }
u[9]='\0';


Another easy way is to use as the decryption key one of the innocuous strings already in the code such as a sign-on or error message.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
Comment Utility
Let me clarify, I am proposing the author to develop a little application to generate keys, with a cypher algorithm, not related with the main application. The generated key will be inserted in the main project's code at compile-time.

The decypher algorithm must be inserted in the main application, and will decipher string at run-time, so, if you analize the exe file with an hex editor, your won't find a legible string.

This way you can generate keys for all your projects, reusing the cyphering tool.
0
 
LVL 5

Expert Comment

by:Didier Vally
Comment Utility
You could code the key in a C/C++ application and access this application from .NET
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now