Secure Encryption / Stop reverse engineering of DLL

I am developing a system which encorperates encryption when storing passwords.

I am fully aware of the ILDASM application that can be used to open up compiled executables and DLL files to see the assembly code, which makes any routine I write to encrypt/decrypt passwords pretty useless, as someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen), and write their own .net app using my DLL to decrypt the passwords!

My question is, is there a way to stop this from happening? or can anyone suggest a more secure method of doing it?
Who is Participating?
The process by which you can stop this reverse engineering is using obfuscation. Its a techniquewhich will foil the decompilers. There are many third parties (XenoCode, Demeanor for .NET)which provide .NET obfuscation solution. Microsoft includes one that is Dotfuscator CommunityEdition with Visual Studio.NET
Mike TomlinsonMiddle School Assistant TeacherCommented:
Ask the USER for a password to use...that way it must be entered every time and it won't be stored in your DLL.
Even if you are going to ask the user for a password, we would need to validate this password which is obfuscated with in your DLL.

Just obfusication will not suffice and protect the DLL.

Alternately, the better solution would be for the DLL to authenticate to a key server. This is still not cent % foolproof.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Mike TomlinsonMiddle School Assistant TeacherCommented:
The author said:

"...someone trying to steal passwords could just open up my DLL and work out the key that is used to encrypt (it doesn't matter where I keep this key, it can always be seen)"

So he needs a KEY to encrypt some values with.  I'm saying that you never even store the key within the DLL.  Instead you ask the user EVERY time what the key to use.  Then you encrypt the values with the user supplied key.  When you go to decrypt, if the user provides the wrong key then it will fail.  Only the correct user supplied key would decrypt properly (not throw an exception).

Basically you ask the user for a "master password" that never gets stored.
Try some commercial products like:

I got dealed with obfuscated/encrypted files using those applications, they are really hard to reverse engineer....

You can't stop real reversers at all, even most secure cryptographic obfuscators and encryptors like ExeCrypt and Themida are reversible. But you can stop most of reversers except experts one with 2 programs I listed.

Here's the one I use, {smartassembly} from Red Gate Software

{smartassembly} will obfuscate and protect your .NET code, optimize your .NET assemblies for better deployment, minimize distribution size, increase performance & add powerful error-tracking and debugging capabilities to your valued application.

Keys Benefits
 Protects your .NET Software, your Intellectual Property, and your business.
 Helps you build a bullet-proof Application.
 Simplifies and improves the deployment of your Application.
 Improves your Application's global performance.
 Saves Countless hours of diagnostic and debugging.
 Helps you improve the quality of your software.

Product Editions -
 {smartassembly} is available in 3 editions:

 The Standard edition is perfect for a small and simple project.
 The Professional edition, thanks to its advanced debugging capabilities, enables to improve and protect larger and more complexes projects.
 The Enterprise edition, thanks to its specific customization capabilities, enables to improve and protect your enterprise projects.

DjDezmondAuthor Commented:
Thanks for your posts guys. I was not online over xmas and newyear to read them sooner.

Some interesting information here.

  The "master password" idea (although a good one) would not really help me in this situation as I am trying to build a server application that authenticates user logins to a website. But a good idea none the less.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.