• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 883
  • Last Modified:

Secure Encryption / Stop reverse engineering of DLL

I am developing a system which encorperates encryption when storing passwords.

I am fully aware of the ILDASM application that can be used to open up compiled executables and DLL files to see the assembly code, which makes any routine I write to encrypt/decrypt passwords pretty useless, as someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen), and write their own .net app using my DLL to decrypt the passwords!

My question is, is there a way to stop this from happening? or can anyone suggest a more secure method of doing it?
0
DjDezmond
Asked:
DjDezmond
4 Solutions
 
askbCommented:
The process by which you can stop this reverse engineering is using obfuscation. Its a techniquewhich will foil the decompilers. There are many third parties (XenoCode, Demeanor for .NET)which provide .NET obfuscation solution. Microsoft includes one that is Dotfuscator CommunityEdition with Visual Studio.NET
0
 
Mike TomlinsonMiddle School Assistant TeacherCommented:
Ask the USER for a password to use...that way it must be entered every time and it won't be stored in your DLL.
0
 
askbCommented:
Even if you are going to ask the user for a password, we would need to validate this password which is obfuscated with in your DLL.

Just obfusication will not suffice and protect the DLL.

Alternately, the better solution would be for the DLL to authenticate to a key server. This is still not cent % foolproof.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Mike TomlinsonMiddle School Assistant TeacherCommented:
The author said:

"...someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen)"

So he needs a KEY to encrypt some values with.  I'm saying that you never even store the key within the DLL.  Instead you ask the user EVERY time what the key to use.  Then you encrypt the values with the user supplied key.  When you go to decrypt, if the user provides the wrong key then it will fail.  Only the correct user supplied key would decrypt properly (not throw an exception).

Basically you ask the user for a "master password" that never gets stored.
0
 
CSecurityCommented:
Try some commercial products like:
http://www.9rays.net/Category/55-spicesnet-obfuscator.aspx
http://www.remotesoft.com/salamander/obfuscator.html

I got dealed with obfuscated/encrypted files using those applications, they are really hard to reverse engineer....

You can't stop real reversers at all, even most secure cryptographic obfuscators and encryptors like ExeCrypt and Themida are reversible. But you can stop most of reversers except experts one with 2 programs I listed.
0
 
DooDahCommented:


Here's the one I use, {smartassembly} from Red Gate Software
http://www.smartassembly.com/product/index.aspx

{smartassembly} will obfuscate and protect your .NET code, optimize your .NET assemblies for better deployment, minimize distribution size, increase performance & add powerful error-tracking and debugging capabilities to your valued application.

Keys Benefits
 Protects your .NET Software, your Intellectual Property, and your business.
 Helps you build a bullet-proof Application.
 Simplifies and improves the deployment of your Application.
 Improves your Application's global performance.
 Saves Countless hours of diagnostic and debugging.
 Helps you improve the quality of your software.

Product Editions - http://www.smartassembly.com/product/editions.aspx
 {smartassembly} is available in 3 editions:

 The Standard edition is perfect for a small and simple project.
 The Professional edition, thanks to its advanced debugging capabilities, enables to improve and protect larger and more complexes projects.
 The Enterprise edition, thanks to its specific customization capabilities, enables to improve and protect your enterprise projects.

0
 
DjDezmondAuthor Commented:
Thanks for your posts guys. I was not online over xmas and newyear to read them sooner.

Some interesting information here.

IdleMind:
  The "master password" idea (although a good one) would not really help me in this situation as I am trying to build a server application that authenticates user logins to a website. But a good idea none the less.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now