Re: How do I store secrets?
From: Michael Giagnocavo [MVP] (mggUNSPAM_at_atrevido.net)
Date: Tue, 6 Jul 2004 00:43:32 -0400
It's even easier than that :D. No matter how you store the key, the usercode
needs to use it and pass it off to the encryption algorithm. Unless you
embed the algorithm completely in your code, it's trivial to intercept the
crypto API call and get the key from that point.
My advice: Redesign the app to not depend on YOUR code signing it. It's a
fundamental design problem.
You could try to move your code to a dedicated, tamper-proof hardware box.
However, all this does is increase the intelligence/time/budget needed to
attack. The Xbox's encrypted ROMs were successfully attacked by a smart guy
from MIT -- and I don't think it took him that long either. And after the
attack is developed, it's easy to repeat it on other client installations,
effectively making your app completely untrusted.
The safest way to rely on this bad design is to not protect anything
worthwhile. If you are using this for: military applications, voting
machines, business, medical records access, or anything to do with money in
amounts larger than $100, forget it. If you're protecting access to your
collection of 4 CDs and 2 DVDs, it might ok.
"Chris Clark" <ChrisClark@discussions.microsoft.com> wrote in message
> Don't forget that plain text is viewable in the compiled assembly. So even
> after you compile your source, possibly even using obfuscation, a plain
> text password or key or connection string is viewable by opeing your dll
> in notepad.
> "Eugene Mayevski [SecureBlackbox]" wrote:
>> Danny van Kasteel wrote:
>> > Don't get me wrong, I'm with you on that. That is why I need to be as
>> > close as possible to knowing that my code signed a piece of data.
>> > The only ways to break the security in the scenario I suggested (i.e.
>> > using an embedded signing key) seem to be: a) compromising the
>> > signing key (by obtaining source code for example); b) replacing the
>> > verification key to allow the attacker's key to be accepted;
>> Why don't you consider extracting the key from your code and using it
>> for signing the results of other code?
>> This is the easiest way to hack the scheme.
>> Maybe I just don't understand you needs, however...
>> Eugene Mayevski
>> EldoS Corp., CTO
>> Networking and security solutions, development and consulting services