RE: Securing an encryption key within software.



As far as i know, there is no way of securely store a key in a piece of software. You can only "obfuscate" the code to "hide" this key, nevertheless you can see it in run-time.

More in:
http://en.wikipedia.org/wiki/Obfuscated_code

Bye,
LG.



From: "Davie Elliott" <delliott@xxxxxxxxxxx>
To: <focus-ms@xxxxxxxxxxxxxxxxx>
Subject: Securing an encryption key within software.
Date: Fri, 16 Jun 2006 10:01:31 +0100


Hello everyone,

I have been writing a password storing application in Visual Basic. The
passwords are stored in a database and encrypted with AES 256-bit.
And I have been wondering how I would stop the key from being found, should
the software somehow leave the building and fall into the wrong hands.

Using a simple Hex Editor on the software I can see that any strings that
have been defined ("hard coded") in the software can easily be read. So what
I have done is left the "hard coded" key in the software, but only use it to
encrypt/decrypt the database key the is held in a file, so I have:

"Hard coded" key [ENCRYPT] Database Key -----> Encrypted key (Store in a
plain text file)

When the software loads:

"Hard coded" key [DECRYPT] Encrypted key -----> Database key (Stored in
memory and used to decrypt passwords in the database).

My worry again, is that if the plaintext file and the software managed to
leave the building, the same situation will occur.

So, my question is: How does one securely store an encryption key inside a
program?

I thank you for your input.

Davie Elliott
Network Administrator
Express Link-Up Social Enterprise
Unit 4-6
Lenton Business Centre
Lenton Boulevard
Nottingham
NG7 2BY
t: 0115 9791200
w: www.eluse.co.uk




---------------------------------------------------------------------------
---------------------------------------------------------------------------


_________________________________________________________________
MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Encryption Key
    ... ADMT uses an encryption key when migrating passwords. ... ADMT key dallas c:\admt2 ...
    (microsoft.public.windows.server.migration)
  • Re: content rather than key?
    ... of a user-provided input to produce an encryption key, ... entropy phrase given above: ... has been "spread out" among all 128 bits, making "good" passwords somewhat ...
    (sci.crypt)
  • Re: Embed username/password/etc. in exe at install time.
    ... Write a small native DLL which will generate the encryption key based ... Because you don't want the passwords to be in plain text (so others ... obfuscation is a cat and mouse game. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Encrypting Passwords
    ... My program needs to be portable but a little higher security is better than ... > user input a keycode every time the program starts. ... > used to generate the encryption key which unlocks the passwords. ...
    (comp.lang.pascal.delphi.misc)
  • Re: Can encrypted data be indexed?
    ... > Given a set of data like strings in a database, ... What the heck does that mean? ... Just encrypt the whole file system that the database lives ... and let users who have the encryption key access it in the normal ...
    (sci.crypt)