Thread: Good way to store a security key in C#?

  1. #1
    Registered User C_ntua's Avatar
    Join Date
    Jun 2008
    Posts
    1,853

    Good way to store a security key in C#?

    I am trying to find a good enough way to store a security key in a software so even a user wouldn't be able to find it unless they spend a week or more of their time. There were a few attempts using obfuscators and such, but in the end they just make it a day max to find it. Using ILspy you can create a VS project from the exe which makes it easy. To pass the obfuscator that fooled ILspy I used de4dot. I have searched a bit and there are some suggestions to use Windows DAPI but this is only good if you can use a password, which it is not possible since the user again must not know the key. The usage of a server is not feasible as part of the project.

    Any suggestions? I feel that this is not an easy task from C#, where in C++ the native code would be quite harder to read once decompiled but the desire is to stay in C#.

    Another thought was to embed somehow the libraries in the executable. A flaw in the previous attempts is that a DLL was used to call AES function. The decompiled code needed to specify the DLLImport functions with their name. So it was an easy starting point to see which function uses them which of course will have the keys passed to it even if all the rest of the functions had their methods and variable names changed. So a more specific question: is there a way to embed a DLL or library so it is part of the code?

    Following the above thought, an idea was to somehow extend the AES DLL so it can have the keys embedded as well. Then the C# code would call the alternative function without passing the keys. So someone would be required to decompile that DLL. I am not so much an expert on decompiling native code to reverse engineer it so maybe a feedback would be useful before attempting this.

  2. #2
    Registered User cstryx's Avatar
    Join Date
    Jan 2013
    Location
    Canada
    Posts
    123
    In C#, I doubt it. If this is a static key good way would be to use a database.

  3. #3
    Gawking at stupidity
    Join Date
    Jul 2004
    Location
    Oregon, USA
    Posts
    3,218
    There's no good way to store a secret that you need to retrieve anywhere the user has access. As you point out, they'll just be able to decrypt anything you encrypt using the same methodology you use in your program. You can slow them down, but you can't stop them.
    If you understand what you're doing, you're not learning anything.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Would anyone recommend good network security books?
    By donglee in forum Networking/Device Communication
    Replies: 1
    Last Post: 04-11-2009, 09:11 AM
  2. store data from ifstream and store in link list
    By peter_hii in forum C++ Programming
    Replies: 2
    Last Post: 10-26-2006, 08:50 AM
  3. Good way to load/store lines from file?
    By bennyandthejets in forum C++ Programming
    Replies: 6
    Last Post: 06-22-2004, 01:34 AM
  4. Do you store store one off data arrays in a class?
    By blood.angel in forum C++ Programming
    Replies: 5
    Last Post: 06-24-2002, 12:05 PM
  5. For Good Hackers/Security Experts/Guru's
    By no-one in forum A Brief History of Cprogramming.com
    Replies: 0
    Last Post: 09-26-2001, 04:36 PM