Re: secret key string visible in dll

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 04/28/04

• Next message: Sara rafiee: "convert to dll in vb.net (webapplication)"
• Previous message: Sara rafiee: "Re: change password in active directory by webapplication (vb.net)"
• In reply to: Tim Mackey: "secret key string visible in dll"
• Next in thread: Tim Mackey: "Re: secret key string visible in dll"
• Reply: Tim Mackey: "Re: secret key string visible in dll"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Apr 2004 22:34:32 -0500

With a tool like Reflector or Anakrino, it would be trivially easy to
decompile your assembly to discover how you are getting the key if it is
hard coded in the assembly. However, if you can protect access to the
assembly, then this may still be safe. It really depends on who will have
access to it.

Storing secrets is a very hard problem

Joe K.

"Tim Mackey" <anonymous@discussions.microsoft.com> wrote in message
news:7A875CEA-DD4E-4DB8-8397-3D6FC41F06AC@microsoft.com...
> hi,
> i am using 3des encryption with a secret key to send information between 2
aspnet applications. they both know the key, which is a hard-coded string.
i have read about using aspnet-setreg to securely store such a value in the
registry, but i have a different query.
> if i open the dll in notepad, i can read the secret key, which obviously
is no good. i tried changing the code to use a number as the secret key,
calling .ToString() on the number. I then recompile and open up the dll in
notepad and i can't find the number, which seems better. i don't know a
thing about disassembling .net executables, so i'd like to know if the key
is safe, hard-coded in the dll, in numeric form?
>
> granted a numeric key has less combinations than a string version, but
adding more digits will go some of the way to help that.
>
> thanks for any help
> tim mackey.

• Next message: Sara rafiee: "convert to dll in vb.net (webapplication)"
• Previous message: Sara rafiee: "Re: change password in active directory by webapplication (vb.net)"
• In reply to: Tim Mackey: "secret key string visible in dll"
• Next in thread: Tim Mackey: "Re: secret key string visible in dll"
• Reply: Tim Mackey: "Re: secret key string visible in dll"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: tricky question ... Hi Mariyan - I'm a little confused about what you did. ... what's being referred to is the actual .dll ... "Notepad". ... > Next,I tried to export it to a notepad,it gives me the export registry ... (microsoft.public.security.virus) Re: Encryption newbie - Same length encrypted result ... > How safe is saving this anyway? ... This will have a secret key hardcode. ... > if someone gets the DLL, they can easily decrypt the data. ... > server, but then someone could always reverse engineer the DLL and get ... (sci.crypt) Re: Security issue with compiled DLL Files ... I can still read the string plain as day in notepad. ... This is not a bug and is the exact same thing you'd see with any dll, ... If you don't like that one, search for that site for Encryption... ... (microsoft.public.vb.bugs) Re: OOPS!Might have blown it! HELP! ... you have changed the file associations for all DLL files ... Panel/Folder Options/File Types/I believe dll is not reflected by default ... > open with notepad, but I applied it to ALL .dll's and now none of my ... I got to System Restore thru Safe Mode, ... (microsoft.public.windowsxp.general) all server dlls now associated with notepad ... >Through a misunderstanding of how associations are ... >on our Windows 2000 server changed ALL dlls to Notepad. ... >since any dll file can now be opened and changed. ... (microsoft.public.win2000.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint