Solved

Protecting Passwords from .NET Decompilation

Posted on 2004-08-04
4
244 Views
Last Modified: 2010-04-17
I have sensitive information that I want my program to be able to encrypt and store in a file and then decrypt the file and use the information.  However, all encryption algorithms require some kind of password or key themselves.  How can I store this key so that it will be safe from decompilation?  I don't know if my obfuscator actually encrypts strings (I use the free Apose.Obfuscator).  Could I store this key as a resource some way?

Essentially, here is my problem:

string sensitiveData;
EncryptAndStore(sensitiveData, "This is my encryption key");

How can I safely store my encryption key?  If it is hard coded, it can be viewed after decompilation and that is unacceptable.  The user cannot have access to this key.
0
Comment
Question by:thedude112286
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11722773
Choose an encryption algoritm who generates a legible crypted data, let say: DKJFH487FHRF
Create a new little project and implement your algorithm
Make your little app to ask you for a string, encodes it and shows you (similar to string above)
Insert this string in your main project
Use the decrypt function to retrieve the string

string sensitiveData = Decrypt("DKJFH487FHRF");

0
 
LVL 22

Accepted Solution

by:
cookre earned 500 total points
ID: 11723431
If run-time input is acceptable, jaime's way is best.

If that's not possible, I'll frequently build the secret phrase at run-time from a series of calculations.  That means there are no plain text strings for hex editors to see.  Granted, someone with the skills to reverse-engineer the executable would eventually crack it, but that's always the case with built-in security and no run-time input.

For example:
// This ghastly chunk of code was done this way to keep the
// compiler from optimizing us down to identifiable stuff
// to a hex editor.
for (idx=0; idx<9; idx++)
    {
    switch (idx)
           {
           case 0: u[idx]=(idx+1)*59 + (idx+1)*38; break;
           case 1: u[idx]=(idx+0)*85 + (idx+0)*16; break;
           case 2: u[idx]=(idx-1)*92 + (idx-1)*28; break;
           case 3: u[idx]=(idx-2)*36 + (idx-2)*74; break;
           case 4: u[idx]=(idx-3)*43 + (idx-3)*72; break;
           case 5: u[idx]=(idx-4)*14 + (idx-4)*98; break;
           case 6: u[idx]=(idx-5)*17 + (idx-5)*94; break;
           case 7: u[idx]=(idx-6)*23 + (idx-6)*92; break;
           case 8: u[idx]=(idx-7)*96 + (idx-7)*20; break;
           }
    }
u[9]='\0';


Another easy way is to use as the decryption key one of the innocuous strings already in the code such as a sign-on or error message.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11723449
Let me clarify, I am proposing the author to develop a little application to generate keys, with a cypher algorithm, not related with the main application. The generated key will be inserted in the main project's code at compile-time.

The decypher algorithm must be inserted in the main application, and will decipher string at run-time, so, if you analize the exe file with an hex editor, your won't find a legible string.

This way you can generate keys for all your projects, reusing the cyphering tool.
0
 
LVL 5

Expert Comment

by:Didier Vally
ID: 11726324
You could code the key in a C/C++ application and access this application from .NET
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A short article about problems I had with the new location API and permissions in Marshmallow
In this post we will learn different types of Android Layout and some basics of an Android App.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question