> On May 7, 5:39 pm, mauricio.cad***@gmail.com wrote:
>
> > Hi
> > I'm developing an application that encrypts some data using the
> > TripleDESCryptoServiceProvider, I'm new in this topic and I don't know
> > what is the best and secure way to distribute the keys used by this
> > algorithm since If I left it hardcoded anyone can decompile the
> > assemblies and obtain it. Any sugestion?
> > Thanks
>
> Hi,
> The problem of keys distrubution is not kind of problem that could be
> implemented or even understood by newbies. This is btw the main reason
> for PKI, X509, Kerberos, SSL and you name it... any secure
> communicataion channel/key distribution protocols. But at the end of
> the day it always boils down to one simple thing: you always need some
> secret key for decrypting other keys that supposed to be securely
> distributed to you. And hardcoding this secret key is totally wrong
> aproach! Not only because of decompilers ;). There are much easier
> ways of finding any secret key that you have in your program for an
> adversary that has sufficient local access: for example - simply dump
> process memory and try any sequential memory block of the size of the
> key. If you program is about 100 MB - this aproach will always find
> your key in a matter of seconds (with the smaller programs it will be
> even faster). And the key finder program is a trivial automatic thing
> that doesn't even require any special programming skills ;)
>
> -Valery.

> On May 10, 11:07 am, Valery Pryamikov <val***@harper.no> wrote:
>
>
>
>
>
> > On May 7, 5:39 pm, mauricio.cad***@gmail.com wrote:
>
> > > Hi
> > > I'm developing an application that encrypts some data using the
> > > TripleDESCryptoServiceProvider, I'm new in this topic and I don't know
> > > what is the best and secure way to distribute the keys used by this
> > > algorithm since If I left it hardcoded anyone can decompile the
> > > assemblies and obtain it. Any sugestion?
> > > Thanks
>
> > Hi,
> > The problem of keys distrubution is not kind of problem that could be
> > implemented or even understood by newbies. This is btw the main reason
> > for PKI, X509, Kerberos, SSL and you name it... any secure
> > communicataion channel/key distribution protocols. But at the end of
> > the day it always boils down to one simple thing: you always need some
> > secret key for decrypting other keys that supposed to be securely
> > distributed to you. And hardcoding this secret key is totally wrong
> > aproach! Not only because of decompilers ;). There are much easier
> > ways of finding any secret key that you have in your program for an
> > adversary that has sufficient local access: for example - simply dump
> > process memory and try any sequential memory block of the size of the
> > key. If you program is about 100 MB - this aproach will always find
> > your key in a matter of seconds (with the smaller programs it will be
> > even faster). And the key finder program is a trivial automatic thing
> > that doesn't even require any special programming skills ;)
>
> > -Valery.
>
> Btw. If you recall recent break of HDDVD and Blue Ray keys, it was
> done by a bit more complicated, but very similar aproach (dumping
> process memory at the right time ;)
>
> -Valery.- Hide quoted text -
>
> - Show quoted text -