|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Any Obfuscator can hide the Key & iv?In my program i use the TripleDES class to do the encryption, and i have key( ) and iv( ) in that class for encrypt/decrypt a string. I do not have any full version of obfuscate, and I only use dotfuscator which comes FREE with VS2005. However my problem is that, now using Reflector, I can clearly see my Key & iv, and this is really a big problem for me.... Do you know any good obfuscator that can hide the key & iv? I am willing to purchase it, if it can do the job. Otherwise are there any suggestion? Currently my program need to decrypt a string(serial no.) everytime it load on the client machine. Any help is appreciate, Many thanks. Jon Hi
This will not present the "ultimate" solution - but does make it much harder to retrieve the secret key used for symmetric encryption (3DES). 1) Write a random string like below. 2) Compute the hash (bytearray) of this string 3) Take the ness. bytes from this large bytearray (step 2) 4) Do an array copy to populate the IV and KEY (see below) Now you have your key (m_sysKey) and IV (m_sysVector). They are not known to anybody (incl. yourself!), but is consistently generated at runtime and will produce the same result every time. //value used for creating hashvalue byte[] originalValue = System.Text.Encoding.Unicode.GetBytes("kdksdiekdiealksdjfklasjfdslfkjasl..........<very long string>................fæa"); //create a hash over the key and initialization vector SHA256Managed sha = new SHA256Managed(); m_sysKey = sha.ComputeHash(originalValue); /// <summary> /// Perform encryption /// </summary> public string Encrypt(string data) { //get appropriate key and IV byte[] sysKey = new byte[m_requiredKeyLength]; byte[] sysVector = new byte[m_requiredIVLength]; Array.Copy(m_sysKey, sysKey, m_requiredKeyLength); Array.Copy(m_sysKey, sysVector, m_requiredIVLength); ....stuff... Show quoteHide quote "Jon" wrote: > Hi, > In my program i use the TripleDES class to do the encryption, and i have > key( ) and iv( ) in that class for encrypt/decrypt a string. > > I do not have any full version of obfuscate, and I only use dotfuscator > which comes FREE with VS2005. However my problem is that, now using > Reflector, I can clearly see my Key & iv, and this is really a big problem > for me.... > > Do you know any good obfuscator that can hide the key & iv? I am willing to > purchase it, if it can do the job. > > Otherwise are there any suggestion? > > Currently my program need to decrypt a string(serial no.) everytime it load > on the client machine. > > Any help is appreciate, Many thanks. > Jon Hi Jon,
a good obfuscator confuses the code but *not* the inner methods, property, ect. of the classes of .NET FW (.key, .iv, ect.) ..NET FW is much vulnerable! an aggressor can modify the .NET FW just so as to to make to visualize yours key :-o ....in this way, it turns out superfluous, also the decompilation of the .NET code :'-( best regards, Marcello Cantelmo www.cantelmosoftware.com 
Other interesting topics
CASPOL - StrongName trusts not being applied
TripleDES output size Thread.CurrentPrincipal only set once strong name validation failed problem Trusting a location for Framework 2.x how to use microsoft application blocks ent lib june 2005 XML files and .Net, digital signatures, WebService Security interop assembly requiring full trust Windows File Encryption Re: Encrypting using RSA private Key |
|||||||||||||||||||||||
