Link to home
Start Free TrialLog in
Avatar of Ingo Foerster
Ingo Foerster

asked on

Xor Decrypting and encrypting

I need to hide a plain text AES key in my code, For this I think about to use a XOR decrypting or encrypting. Any ide how to do this? Or better, another idea to hide the key?
The key is a char[15]
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

The problem with using XOR is that it can generate characters that are not 'acceptable' in strings.
Honestly - don't even bother. That will raise the difficulty to obtain that key for approx. 5 mins.

It has to be present in memory in its unscrambled readable for for the call to your AES decryprion or encryption function, and therefore is accessible that very moment to anyone who knows how to handle a debugger. 'Hiding' it therefore probably won't be worth the effort you're putting into that. But anyway, one simple way you might want to consider would be to 'hide' it in a large area of random hexadecimal text data, e.g.  like

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int offset = 32; // or any arbitrary value
// place your key at offset 32 and read the 16 bytes from there:
char AESKey[17];
strncpy(AESKey,pBlob + offset, 16);
AESKey[16] = '\0'; // add NULL terminator if necessary

Open in new window


That will at least make it impossible to extract it with utilities like 'strings', i.e. without actually debugging your program.
Avatar of Ingo Foerster
Ingo Foerster

ASKER

I know finaly the key is inside the memory, that the general disadvantage of all encryption.
But the offset mehtod is really basic, a little string attack with an offset is also done in a few seconds.
So the final question is still open.
Then scatter it in that blob. Place each of the 16 bytes in such a field and use a index table, e.g.

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int index_table[] = { 25, 16, 137, ... , 42};
char AESKey[17];
for (int i = 0; i < 16) AESKey[i] = pBlob[i];
AESKey[16] = '\0'; // add NULL terminator if necessary
                                            

Open in new window


You could regard the index table to be your 'encryption key'.
ASKER CERTIFIED SOLUTION
Avatar of jkr
jkr
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
XORing is not encryption - it is obfuscation and, as jkr has already pointed out, it'll take anyone with even a little knowledge about 10 seconds to crack! There is absolutely no safe way of distributing a private key with the binary. I'll say that again - there is absolutely NO SAFE WAY of distributing a private key with the binary. You could encrypt it, but then you'd need to key to decrypt the key. You are back to square one.

The way this is normally done is to generate the key on the destination machine once the binary is installed. It is normally done using some form of entropy such as capturing mouse movements or something equally random. Of course, this isn't always going to solve your problem as this method only covers use cases where you don't need to know the key up front.

For us to give you a better idea of the safest way to do what you are trying to do you need to expand on your use case. If you want more information as to why just obfucating the key is dangerous and pointless do a quick search of EE. I and other experts have answered this exact question many times!

In all cases the answer is the same... if you need to go so far as to use real encryption you absolutely must not distribute the key. If you aren't that worried if the key is compromised and/or are prepared to take the risk of it being exposed why bother with full encryption, you might as well just use a form of obfuscation (there are plenty of good algorithms for doing that too) and make your life a whole lot simpler.
>> I know finaly the key is inside the memory, that the general disadvantage of all encryption.

Actually, no!

Generally, you should be using an asymmetric-key encryption when keys need distribution; you only ever distribute the public key. It doesn't matter if that can be seen because it can only be used to "lock", it can't be used to "unlock".

If you are distributing the private key (or just *the* key in the case of AES) and it is compromised, then you have just given the burglar the keys to (unlock) your house! The [private] key should NEVER be distributed.

AES is a symmetric-key encryption algorithm. Maybe it's an asymmetric-key you need to be using?

http://en.wikipedia.org/wiki/Asymmetric_key
I am absolutely with evilrix here, especially when it comes to asymmetric keys. Not sure why exactly you need an AES stream cipher (well, you will have good reasons), but if I have the choice, I'll go for public/private key pairs, RSA FTW - if applicable ;o)