Re: Could a hacker achieve this?

From: Framework fan (tempframeworkfan_at_hotmail.com)
Date: 04/12/04


Date: 12 Apr 2004 08:10:03 -0700

Thank you for everyone's input.

"Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> wrote in message news:<#ESq827HEHA.3356@TK2MSFTNGP11.phx.gbl>...
> Stealing the DLL is one task and probably the hardest. As was mentioned in
> another post, it depends on how you have your security configured. If we
> assume a standard .Net app with the DLL in the bin folder, no explicit ACL
> set by yourself, then while it is possible, its not too easy. The more your
> machine is locked down, the harder it is for a hacker to get in and grab
> some code libraries.
>
> Now if we assume that the hacker has gained entry to your machine and can
> get your assemblies, then how hard would it be to have a look at your secret
> code. Well, without obfuscating your code, it would actually be quite easy.
> Obfuscating your code makes it considerably harder, but certainly not
> impossible. John mentioned that hardcoding the secret key is quite common,
> but it is bad practice. Ideally, you should probably extract it from
> somewhere that keeps it in an encrypted form also. Ideal for this situation
> is the DPAPI libraries. Typically, you can decrypt data only on the machine
> it was encrypted on (or only by the user it was encrypted by), with DPAPI
> handling the key storage for you. So if the hacker got your code, it would
> simply be referencing a key on the local machine, which is also encrypted.
> If the hacker then manages to get that encrypted key, they cant decrypt on
> anyother machine, so its useless to them.
>
> So you could either use DPAPI for all your encryption needs or just to
> store/encrypt the encryption key that you will be using. DPAPI is an
> unmanaged set of libraries/functions, but there is a managed wrapper with
> example code to be found here.
> http://weblogs.asp.net/pglavich/archive/2004/03/15/89687.aspx
>
>
> --
> - Paul Glavich
> Microsoft MVP - ASP.NET
>
>
> "WJ" <JWebb@Msn2.Com> wrote in message
> news:OSam773HEHA.3536@TK2MSFTNGP09.phx.gbl...
> >
> > "Framework fan" <tempframeworkfan@hotmail.com> wrote in message
> > news:f109ac80.0404100653.7a9ba1c2@posting.google.com...
> > > Hello.
> > >
> > > If I have this line of code inside my ASP.NET app:
> > >
> > > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
> > >
> > > Can a very experienced hacker do either of the following:
> > >
> > > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
> > > order to obtain the hard coded key above.
> > >
> >
> > Depend on how tight your ACL is enforced at your server where the DLL is
> > hosted. I would check this first to make sure only the intended users have
> > access to it. I would offuscate my code if it is that sensitive.
> Hardcoding
> > secret key in an application is a common practice. Just name things
> > different than suggested by some best programming pratices to make life
> > harder for hackers. This means that in some cases, you need to be abnormal
> > in your programming style.
> >
> > > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
> > > it is actually executing on the server, and then kind of "syphon off"
> > > the data that is flying about the machine's data ports, in order to
> > > "catch / filter off" the secret key.
> > >
> >
> > Chances for this to happen is very slim unless there is an iider help.
> >
> > John
> >
> >