• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Protecting Passwords from .NET Decompilation

I have sensitive information that I want my program to be able to encrypt and store in a file and then decrypt the file and use the information.  However, all encryption algorithms require some kind of password or key themselves.  How can I store this key so that it will be safe from decompilation?  I don't know if my obfuscator actually encrypts strings (I use the free Apose.Obfuscator).  Could I store this key as a resource some way?

Essentially, here is my problem:

string sensitiveData;
EncryptAndStore(sensitiveData, "This is my encryption key");

How can I safely store my encryption key?  If it is hard coded, it can be viewed after decompilation and that is unacceptable.  The user cannot have access to this key.
  • 2
1 Solution
Jaime OlivaresSoftware ArchitectCommented:
Choose an encryption algoritm who generates a legible crypted data, let say: DKJFH487FHRF
Create a new little project and implement your algorithm
Make your little app to ask you for a string, encodes it and shows you (similar to string above)
Insert this string in your main project
Use the decrypt function to retrieve the string

string sensitiveData = Decrypt("DKJFH487FHRF");

If run-time input is acceptable, jaime's way is best.

If that's not possible, I'll frequently build the secret phrase at run-time from a series of calculations.  That means there are no plain text strings for hex editors to see.  Granted, someone with the skills to reverse-engineer the executable would eventually crack it, but that's always the case with built-in security and no run-time input.

For example:
// This ghastly chunk of code was done this way to keep the
// compiler from optimizing us down to identifiable stuff
// to a hex editor.
for (idx=0; idx<9; idx++)
    switch (idx)
           case 0: u[idx]=(idx+1)*59 + (idx+1)*38; break;
           case 1: u[idx]=(idx+0)*85 + (idx+0)*16; break;
           case 2: u[idx]=(idx-1)*92 + (idx-1)*28; break;
           case 3: u[idx]=(idx-2)*36 + (idx-2)*74; break;
           case 4: u[idx]=(idx-3)*43 + (idx-3)*72; break;
           case 5: u[idx]=(idx-4)*14 + (idx-4)*98; break;
           case 6: u[idx]=(idx-5)*17 + (idx-5)*94; break;
           case 7: u[idx]=(idx-6)*23 + (idx-6)*92; break;
           case 8: u[idx]=(idx-7)*96 + (idx-7)*20; break;

Another easy way is to use as the decryption key one of the innocuous strings already in the code such as a sign-on or error message.
Jaime OlivaresSoftware ArchitectCommented:
Let me clarify, I am proposing the author to develop a little application to generate keys, with a cypher algorithm, not related with the main application. The generated key will be inserted in the main project's code at compile-time.

The decypher algorithm must be inserted in the main application, and will decipher string at run-time, so, if you analize the exe file with an hex editor, your won't find a legible string.

This way you can generate keys for all your projects, reusing the cyphering tool.
Didier VallySystems Engineer and Finance AnalystCommented:
You could code the key in a C/C++ application and access this application from .NET
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now