Jump to content
  • Advertisement
Sign in to follow this  
Eric_B

[.net] It is possible to hide encryption keys in .Net cheaply?

This topic is 5392 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Advertisement
Obfuscator won't hide encryption keys. It might delay obtaining them, but otherwise...

Share this post


Link to post
Share on other sites
well at least it will be better than directly reading them from files with notepad. But obfuscator is not an option for me, all are sooooooo expensive.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by joanusdmentia
If you have VS.NET 2003 it comes with Dotfuscator Community Edition. Look in the 'Tools' menu.


It doesn't encrypt the strings

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
This depends on what your trying to foil. If you just need to prevent people reading your encryption key with notepad than you can always store the key in an altered form. I'm going to assume that this program is run on a computer your "attacker" has full access to (otherwise i think this problem becomes trivial, there should be no threat if your program is held and executed securely). You are always however going to run up against one basic problem that no amount of fancy coding will protect you from. In the end, the program needs to have in its usable memory, your unobscured encryption key. Even if you hold an obscured version in memory and adapt you algorithm to use that, all you've done is complicate the algorithm and sustitute one key for another (And if you always manipulate your key in a particular way before you use it, then that will probably get picked up if someone goes to work on your algorithm). In the end your user will have to have the key on their computer, amd if they want it enough, you can't stop them without incorporating a computer they can't control into the process. Having said this, a decently complicated process will in practice stop people unless they have a good enough reason to want the key.

Share this post


Link to post
Share on other sites
You mean like encrypt your encryption key so you can embed it in your assembly? But then that key will have to be in your assembly too. So you could encrypt that one, but then that key will have to be in your assembly too. So you could encrypt that one, but ...

So lets just forget about that being secure

To just obsfuscate your sting use a simple bit shift like rot or some such. try:


//UNTESTED may require casting etc..

public static string Hider(string input, int shift, int cap){
char[] inc = input.ToCharArray();
char[] outc = new char[inc.Length];
for(int i - 0; i< inc.Length; i++){
outc = (inc + shift) % cap;
}
return new String(outc);
}

string hidden = Hider("somekey",13,255);
string unhidden = Hider(hidden,-13,255);



Any character by character modification that you can reverse will work, but you may have to manually run it on your strings and then paste them in your code to get the constants in your assembly hidden.

Home something here helps you.

Share this post


Link to post
Share on other sites
The best place to store a key is in the local certificate store or in the memory of the PC. That's the place to store a key safely. Not in a file!

The real problem however, is sending it to the server.

That's where public/private keys prove their use. Put a public key in/with the assembly and let it contact a server. The client creates/generates runtime a symetric key and encrypts it with the public key. The server then uses the private key to decrypt the symmetric key and there you are! The trick is then to generate new symetric key as often as you need or want to because these key can be hacked in the end.

This way you don't need to hide anything!

Cheers

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!