Re: Best place to store encryption key
From: Alek Davis (alekDOTdavisATintelDOTcom)
Date: 11/10/03
- Next message: Michael Giagnocavo [MVP]: "Re: Crypto Hash ?"
- Previous message: Robert Gruen [MSFT]: "Re: Help with new dwInfoStatus values.."
- In reply to: Crirus: "Re: Best place to store encryption key"
- Next in thread: Crirus: "Re: Best place to store encryption key"
- Reply: Crirus: "Re: Best place to store encryption key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Nov 2003 09:10:50 -0800
Crirus,
Using an obfuscator (a good commercial, which unfortunately equates to a
more expensive one) is a good idea, even though obfuscators do not totally
eliminate the risk of reverse engineering. If you haven't done this before,
I would recommend you to try to decompile your assembly using Anakrino just
to see how easy it is to get the application source code. Also, I recommend
you to check out the November issue of MSDN Magazine, which has several
articles you may found interesting:
http://msdn.microsoft.com/msdnmag/issues/03/11/default.aspx. Anyway, back to
your idea: depending on what kind of secrets you are storing on the client,
the value of data protected by these secrets, and the type of client (i.e.
is this an end user or a server application), hiding data in the application
source code (even if you split it into pieces) can be a very bad idea or a
bad idea, which has no better alternatives. Generally, hiding secrets in the
application source code (or anywhere else for that matter) is not
recommended, and I would strongly recommend to consider other options, but
again without knowing particulars of your application and environment, it is
hard to give you legible recommendations.
Alek
"Crirus" <Crirus@datagroup.ro> wrote in message
news:uLeNt9cpDHA.1084@tk2msftngp13.phx.gbl...
> Hehe, I have the same dilema. What I was thinking is this.
> Hardcode it on the client but not in a single variable... you can spread
> each character fo the pass an key on various classes, and reconstruct from
> them when needed... that way, if you use a good obfuscator too, will be
more
> difficult to reassamble.
> I think :D
>
> Send me your solution, thught
>
> Thanks
>
> --
> Ceers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Alek Davis" <alekDOTdavisATintelDOTcom> wrote in message
> news:%23riV2nWpDHA.2528@TK2MSFTNGP12.phx.gbl...
> > Suriyanto,
> >
> > After reading the description of your application, I am not sure which
> > problem you are addressing. What is the purpose of encryption? Are you
> > encrypting data to make sure that a hacker does not sniff them during
data
> > transfer. Or are you trying to use a shared encryption key to verify
that
> > the client is an authorized sender of the data. You see, the former is
> more
> > related to cryptography than the latter. In the first case, you should
> > either use SSL, or public-private keys for data exchange. If data values
> are
> > short, you can simply encrypt them on the client using the server's
public
> > key (which the client can retrieve in a separate call). If data values
are
> > long, you can pass a random session key from the server to the client
> > encrypted with the client's public key, or do something similar.
> Basically,
> > you need to implement your version of SSL. Now, if you want to use
> > encryption keys for something else, like verifying that a caller is a
> valid
> > client, who knows the secret key, this is the whole new ball game,
because
> > it is not as much about cryptography and key storage as it is about
> > authorization. How you solve this problem depends on a number of factors
> and
> > it is impossible to give you a reasonable recommendation without
> > understanding details of your application.
> >
> > Alek
> >
> > "Suriyanto Lee" <suriyanto@hotmail.com> wrote in message
> > news:OpQh52KpDHA.2188@TK2MSFTNGP11.phx.gbl...
> > > Thanks for giving me the pointer. I have read the article myself
before
> > > posting to this newsgroup, but it gives you all the alternative and
IMHO
> > > none of them is a solid solution.
> > >
> > > Suriyanto
> > >
> > > "Pascal G." <nospam***lists***@***dreamdevil***com***> wrote in
message
> > > news:eFfiZ0JpDHA.708@TK2MSFTNGP10.phx.gbl...
> > > > Look at this month msdn magazine...
> > > >
> > > > msdn.microsoft.com/msdnmag
> > > >
> > > > and particularly this article
> > > >
> > >
> >
>
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
> > > >
> > > > Pascal.
> > > >
> > > > "Suriyanto Lee" <suriyanto@hotmail.com> wrote in message
> > > > news:Ov1vxRJpDHA.684@TK2MSFTNGP09.phx.gbl...
> > > > > Hi all,
> > > > >
> > > > > This might sound like a very basic question, but I can't make up
my
> > > mind.
> > > > >
> > > > > I have a case where I need to perform symetric encryption between
> > client
> > > > and
> > > > > server program. The client program need to encrypt certain data to
> be
> > > sent
> > > > > to the server and the server needs to decrypt it to perform
action.
> We
> > > are
> > > > > using Rijndael cryptography, so we need to share a common key
> between
> > > > client
> > > > > and server.
> > > > >
> > > > > The question is, on the client-side, where should we store the
> secret
> > > key?
> > > > I
> > > > > have explore several options: hard-code in program code, registry,
> > LSA,
> > > > > isolated storage. But, every one of them seems to have a hole that
> is
> > > easy
> > > > > enough to crack. What will be my best bet to store this key in
> Windows
> > > > > environment?
> > > > >
> > > > > Thanks in advance,
> > > > > Suriyanto
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Michael Giagnocavo [MVP]: "Re: Crypto Hash ?"
- Previous message: Robert Gruen [MSFT]: "Re: Help with new dwInfoStatus values.."
- In reply to: Crirus: "Re: Best place to store encryption key"
- Next in thread: Crirus: "Re: Best place to store encryption key"
- Reply: Crirus: "Re: Best place to store encryption key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
