How Can I Hide String Key
-
My dll file contains private key value. I used this key for encryption. How can I hide this key. If I use Reflector or other tool so show my code. I think obfuscation or post-build not guarantee hide my key value. I use strong key but, it can be remove using with Reflector plug-in. I add dll to GAC but, it easly to steal (Start --> Run ---> C:\windows\assembly\gac_msil). Do you have any idea? Best Regards...
A decent obfuscation tool (NOT the one that comes with Visual Studio) will encrypt strings so reflector doesn't show anything useful.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 -
A decent obfuscation tool (NOT the one that comes with Visual Studio) will encrypt strings so reflector doesn't show anything useful.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997
-----
"...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001Which one is better; Dotfuscator Professional (preemptive) Salamander .NET obfuscator (remotesoft) And what is your think about post-build? Do you use Xenocode Postbuild? Best Regards...
-
hmmm. not quite sure. but i have just thought of something (maybe a little crazy but hey) What about writting a small hardcoded algorithm that rearanges the key before using it for decryption/encryption? that way the stored 'key string' cannot be directly used by anybody else. unless of course they can get hold of your hardcoded algorithm. but that is harder than just getting the string, is it not? instead of your own algorithm, maybe you could just use a hash value of the original key What you think?
Life goes very fast. Tomorrow, today is already yesterday.
Dear Musefan; First of all thanks for care. I have a algorithm like blowfish. I already written hardcoded this algorithm. But most important of this algorithmts need a key. This enuqe key is most important for this algorithm and it will be hide. Thanks...
-
One thing Reflector doesn't show (AFAIK) is class-level fields. Since Reflector treats a const like a field, just put your key in a class-level static const. It can still be retrieved using custom-tailored reflection code, but it should deter casual hackers. I've done this in a private application, which uses a 256-length byte array to encrypt passwords; I couldn't retrieve the value using Reflector
Which program did you use for ? How can I put my key in a class-level static const. Dotfuscator Community Edition is not convert variables. Best Regards...
-
Which program did you use for ? How can I put my key in a class-level static const. Dotfuscator Community Edition is not convert variables. Best Regards...
I didn't. However, on further analysis it turns out that the value is set from the static constructor of the class. Although it puts off casual crackers, it will not dissuade those who are determined to get the value. By class-level static const, I mean something like this:
internal class Program
{
internal static const string mySecretPassword = "Lorem";
}However, it cannot compensate for a good obfuscation system and cannot stand on its own
modified on Wednesday, March 11, 2009 12:42 PM
-
My dll file contains private key value. I used this key for encryption. How can I hide this key. If I use Reflector or other tool so show my code. I think obfuscation or post-build not guarantee hide my key value. I use strong key but, it can be remove using with Reflector plug-in. I add dll to GAC but, it easly to steal (Start --> Run ---> C:\windows\assembly\gac_msil). Do you have any idea? Best Regards...
-
You're planning to combine relatively insecure ways to hide a key with a very strong encryption algorithm? That strikes me as odd - it's a bit like having 10 locks on your door but putting the key under the doormat.
I second this comment!
"we must lose precision to make significant statements about complex systems." -deKorvin on uncertainty
-
You're planning to combine relatively insecure ways to hide a key with a very strong encryption algorithm? That strikes me as odd - it's a bit like having 10 locks on your door but putting the key under the doormat.
Good call. If you were using crypto appropriately, then you wouldnt need to hide the key that the user is going to use. Alice can't send a secret message to Bob and then have Bob read it sometimes, but not other times. Maths doesnt work that way...
Mark Churchill Director, Dunn & Churchill Pty Ltd Free Download: Diamond Binding: The simple, powerful, reliable, and effective data layer toolkit for Visual Studio.
Entanglar: .Net game engine featuring automatic networking and powerful HLSL gfx binding. -
I didn't. However, on further analysis it turns out that the value is set from the static constructor of the class. Although it puts off casual crackers, it will not dissuade those who are determined to get the value. By class-level static const, I mean something like this:
internal class Program
{
internal static const string mySecretPassword = "Lorem";
}However, it cannot compensate for a good obfuscation system and cannot stand on its own
modified on Wednesday, March 11, 2009 12:42 PM
In your sample not include identifier (for example string), so compiler get error. I try this; internal class MyClass { internal static readonly string mySecretPassword1 = "MySecretKey"; private static readonly string mySecretPassword2 = "MySecretKey"; private const string mySecretPassword3 = "MySecretKey"; internal const string mySecretPassword4 = "MySecretKey"; private static string mySecretPassword5 = "MySecretKey"; internal static string mySecretPassword6 = "MySecretKey"; } And obfuscation with Dotfuscator Community Edition and Salamander .NET obfuscator. And post build with Xenocode Postbuild 2008 for .NET. But I can see "MySecretKey" when I open obfuscated dll with reflector. In ".cctor()" function. Note: In C#.NET const = value assigned at Compile time and unchangeable once established. readonly = value assigned at run time and unchangeable once established.
-
You're planning to combine relatively insecure ways to hide a key with a very strong encryption algorithm? That strikes me as odd - it's a bit like having 10 locks on your door but putting the key under the doormat.
Ok. How can I Blowfish, Twofish or AES algorithims in ASP.NET project. All of them needs private key.
-
Ok. How can I Blowfish, Twofish or AES algorithims in ASP.NET project. All of them needs private key.
-
You can use them, but you should only use them to encrypt a communication channel. Anything else is not "encryptable" - you may try but it still won't be safe, no matter what.
Could you explain "encrypt a communication channel"? Is it means SSL certificiate installed and configured server?
-
Could you explain "encrypt a communication channel"? Is it means SSL certificiate installed and configured server?
Actually it's more like a fundamental theory in crypto. Yes SSL "works", because it encrypts traffic between two computers, and that's a communication channel. Encrypting a communication channel just means that there are 2 parties involved and they can talk to each other, but anyone else who happens to be listening only receives a garbled mess. Encryption of data only works if the key is guaranteed not to fall into the wrong hands. This guarantee is what makes it impossible, because it means you can't tell to key to anyone, including the program that you want to decrypt the data. This is why passwords don't "work" - they can be stolen (key loggers, fake websites, phishing emails etc). If "the wrong hands" includes the person using the program, obviously the program should not have the key, because no matter what trickery you use the key will at some point be available to the program and thus also to the person operating the computer. So what I hope, is that you only want to keep the data a secret from "others" - for example other people on the network (LAN/WAN whatever) who could overhear the communication between your site (it's a site right?) and a user. SSL does this, but you could use other algorithms as well (if the client allows it, if it's a program you control you could use anything you want). If the algorithm you want to use is not a public key algorithm you could use something like the Diffie-Hellman exchange to effectively turn it into a public key algorithm. ps: please do not sue me if you find any errors in what I just said :)
-
In your sample not include identifier (for example string), so compiler get error. I try this; internal class MyClass { internal static readonly string mySecretPassword1 = "MySecretKey"; private static readonly string mySecretPassword2 = "MySecretKey"; private const string mySecretPassword3 = "MySecretKey"; internal const string mySecretPassword4 = "MySecretKey"; private static string mySecretPassword5 = "MySecretKey"; internal static string mySecretPassword6 = "MySecretKey"; } And obfuscation with Dotfuscator Community Edition and Salamander .NET obfuscator. And post build with Xenocode Postbuild 2008 for .NET. But I can see "MySecretKey" when I open obfuscated dll with reflector. In ".cctor()" function. Note: In C#.NET const = value assigned at Compile time and unchangeable once established. readonly = value assigned at run time and unchangeable once established.
Whoops; I've added string to the code sample. As I said, all that my method does is hide it from a cursory look. It cannot compensate for a dedicated obfuscation package. I have chosen the const keyword because it simply provides safety in case I ever go past the ballmer peak and change its value; my choice was quite deliberate
