[.net] It is possible to hide encryption keys in .Net cheaply?
It is possible to hide encryption keys in .Net code without spending a fortune on a obfustocator?
well at least it will be better than directly reading them from files with notepad. But obfuscator is not an option for me, all are sooooooo expensive.
If you have VS.NET 2003 it comes with Dotfuscator Community Edition. Look in the 'Tools' menu.
Quote:Original post by joanusdmentia
If you have VS.NET 2003 it comes with Dotfuscator Community Edition. Look in the 'Tools' menu.
It doesn't encrypt the strings
This depends on what your trying to foil. If you just need to prevent people reading your encryption key with notepad than you can always store the key in an altered form. I'm going to assume that this program is run on a computer your "attacker" has full access to (otherwise i think this problem becomes trivial, there should be no threat if your program is held and executed securely). You are always however going to run up against one basic problem that no amount of fancy coding will protect you from. In the end, the program needs to have in its usable memory, your unobscured encryption key. Even if you hold an obscured version in memory and adapt you algorithm to use that, all you've done is complicate the algorithm and sustitute one key for another (And if you always manipulate your key in a particular way before you use it, then that will probably get picked up if someone goes to work on your algorithm). In the end your user will have to have the key on their computer, amd if they want it enough, you can't stop them without incorporating a computer they can't control into the process. Having said this, a decently complicated process will in practice stop people unless they have a good enough reason to want the key.
You mean like encrypt your encryption key so you can embed it in your assembly? But then that key will have to be in your assembly too. So you could encrypt that one, but then that key will have to be in your assembly too. So you could encrypt that one, but ...
So lets just forget about that being secure
To just obsfuscate your sting use a simple bit shift like rot or some such. try:
Any character by character modification that you can reverse will work, but you may have to manually run it on your strings and then paste them in your code to get the constants in your assembly hidden.
Home something here helps you.
So lets just forget about that being secure
To just obsfuscate your sting use a simple bit shift like rot or some such. try:
//UNTESTED may require casting etc..public static string Hider(string input, int shift, int cap){ char[] inc = input.ToCharArray(); char[] outc = new char[inc.Length]; for(int i - 0; i< inc.Length; i++){ outc = (inc + shift) % cap; } return new String(outc);}string hidden = Hider("somekey",13,255);string unhidden = Hider(hidden,-13,255);
Any character by character modification that you can reverse will work, but you may have to manually run it on your strings and then paste them in your code to get the constants in your assembly hidden.
Home something here helps you.
The best place to store a key is in the local certificate store or in the memory of the PC. That's the place to store a key safely. Not in a file!
The real problem however, is sending it to the server.
That's where public/private keys prove their use. Put a public key in/with the assembly and let it contact a server. The client creates/generates runtime a symetric key and encrypts it with the public key. The server then uses the private key to decrypt the symmetric key and there you are! The trick is then to generate new symetric key as often as you need or want to because these key can be hacked in the end.
This way you don't need to hide anything!
Cheers
The real problem however, is sending it to the server.
That's where public/private keys prove their use. Put a public key in/with the assembly and let it contact a server. The client creates/generates runtime a symetric key and encrypts it with the public key. The server then uses the private key to decrypt the symmetric key and there you are! The trick is then to generate new symetric key as often as you need or want to because these key can be hacked in the end.
This way you don't need to hide anything!
Cheers
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement