Solved

Protecting Passwords from .NET Decompilation

Posted on 2004-08-04
4
243 Views
Last Modified: 2010-04-17
I have sensitive information that I want my program to be able to encrypt and store in a file and then decrypt the file and use the information.  However, all encryption algorithms require some kind of password or key themselves.  How can I store this key so that it will be safe from decompilation?  I don't know if my obfuscator actually encrypts strings (I use the free Apose.Obfuscator).  Could I store this key as a resource some way?

Essentially, here is my problem:

string sensitiveData;
EncryptAndStore(sensitiveData, "This is my encryption key");

How can I safely store my encryption key?  If it is hard coded, it can be viewed after decompilation and that is unacceptable.  The user cannot have access to this key.
0
Comment
Question by:thedude112286
  • 2
4 Comments
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11722773
Choose an encryption algoritm who generates a legible crypted data, let say: DKJFH487FHRF
Create a new little project and implement your algorithm
Make your little app to ask you for a string, encodes it and shows you (similar to string above)
Insert this string in your main project
Use the decrypt function to retrieve the string

string sensitiveData = Decrypt("DKJFH487FHRF");

0
 
LVL 22

Accepted Solution

by:
cookre earned 500 total points
ID: 11723431
If run-time input is acceptable, jaime's way is best.

If that's not possible, I'll frequently build the secret phrase at run-time from a series of calculations.  That means there are no plain text strings for hex editors to see.  Granted, someone with the skills to reverse-engineer the executable would eventually crack it, but that's always the case with built-in security and no run-time input.

For example:
// This ghastly chunk of code was done this way to keep the
// compiler from optimizing us down to identifiable stuff
// to a hex editor.
for (idx=0; idx<9; idx++)
    {
    switch (idx)
           {
           case 0: u[idx]=(idx+1)*59 + (idx+1)*38; break;
           case 1: u[idx]=(idx+0)*85 + (idx+0)*16; break;
           case 2: u[idx]=(idx-1)*92 + (idx-1)*28; break;
           case 3: u[idx]=(idx-2)*36 + (idx-2)*74; break;
           case 4: u[idx]=(idx-3)*43 + (idx-3)*72; break;
           case 5: u[idx]=(idx-4)*14 + (idx-4)*98; break;
           case 6: u[idx]=(idx-5)*17 + (idx-5)*94; break;
           case 7: u[idx]=(idx-6)*23 + (idx-6)*92; break;
           case 8: u[idx]=(idx-7)*96 + (idx-7)*20; break;
           }
    }
u[9]='\0';


Another easy way is to use as the decryption key one of the innocuous strings already in the code such as a sign-on or error message.
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 11723449
Let me clarify, I am proposing the author to develop a little application to generate keys, with a cypher algorithm, not related with the main application. The generated key will be inserted in the main project's code at compile-time.

The decypher algorithm must be inserted in the main application, and will decipher string at run-time, so, if you analize the exe file with an hex editor, your won't find a legible string.

This way you can generate keys for all your projects, reusing the cyphering tool.
0
 
LVL 5

Expert Comment

by:Didier Vally
ID: 11726324
You could code the key in a C/C++ application and access this application from .NET
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A short article about a problem I had getting the GPS LocationListener working.
This is an explanation of a simple data model to help parse a JSON feed
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question