I have been working with encryption. And it seems to me that the IV and Key
are the only things you need to decrypt my data.
I can obfuscate, but my program still needs to 'call' the framework objects
in System.Security.Cryptography. And this call can be searched for. Then
using a program like SoftIce or Heapwalker they can examine the object and
its properties (namely the IV and Key). Having that they can break my
encryption.
Am I missing something?
Even if I slice and dice the key and store it all over the place, it needs
to be assembled before the framework call, right?
Thanks,
Bob
7  1162 
B Maxey wrote: I have been working with encryption. And it seems to me that the IV and Key
are the only things you need to decrypt my data.
I can obfuscate, but my program still needs to 'call' the framework objects
in System.Security.Cryptography. And this call can be searched for. Then
using a program like SoftIce or Heapwalker they can examine the object and
its properties (namely the IV and Key). Having that they can break my
encryption.
Am I missing something?
Even if I slice and dice the key and store it all over the place, it needs
to be assembled before the framework call, right?
Thanks,
Bob
You don't want to store the key any longer than you have to. Ask the
user for the key (by typing it in, reading a file, or whatever), use it
to encrypt/decrypt the data, then quickly erase it from memory.
It would utterly defeat the purpose of symmetric encryption to store the
key somewhere in the file. You might look into assymetric encryption
for that, but then again, I'm not too sure what you are trying to do.
John
Hi Bob,
Welcome to MSDN newsgroup.
As for the question about encryption info in assembly file you mentioned, I
think you're right. The KEY /IV pair is used for the symmetric encryption
algorithm. If both of them are stored in your application's executable file
or assemly only, it is surely possible that some cracker will decrypte your
key info from your assembly or executable. So generally we'll separate the
keyinfo from our encryption program , for example, store in registry key or
database which can be protected by Access control or authentication. In
addition, in some network tranfering scenario, the key/iv pair for
symmetric entryption are all dynamically generated at runtime and will
expire after a certain period ( such as the SSL ).
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Steven Cheng[MSFT] wrote: If both of them are stored in your application's executable file
or assemly only, it is surely possible that some cracker will decrypte your
key info from your assembly or executable. So generally we'll separate the
keyinfo from our encryption program , for example, store in registry key or
database which can be protected by Access control or authentication.
I'm not sure what the point of this would be. The program will still
need to read the key, be it from the assembly, registry or database. If
credentials are required without user intervention, those credentials
will still need to be stored somewhere, which defeats the purpose. If
user intervention is required, then why not just ask for the password to
decrypt the key?
If the point of the encryption is to prevent the user of the software
from accessing files distributed with the application, then the original
poster needs to say so and realize the futility of it.
John
I'm trying to think of some way to provide some level of copy protection
without paying $3 per license. My software cost will be more like expensive
shareware and the expensive copy protection is beyond my budget.
I asked becuse I feared the answers you guys are giving me.
So, now I am thinking more of the hashcode approach.
Thanks,
Bob
"John Davison" wrote: Steven Cheng[MSFT] wrote:
If both of them are stored in your application's executable file
or assemly only, it is surely possible that some cracker will decrypte your
key info from your assembly or executable. So generally we'll separate the
keyinfo from our encryption program , for example, store in registry key or
database which can be protected by Access control or authentication.
I'm not sure what the point of this would be. The program will still
need to read the key, be it from the assembly, registry or database. If
credentials are required without user intervention, those credentials
will still need to be stored somewhere, which defeats the purpose. If
user intervention is required, then why not just ask for the password to
decrypt the key?
If the point of the encryption is to prevent the user of the software
from accessing files distributed with the application, then the original
poster needs to say so and realize the futility of it.
John
B Maxey wrote: I'm trying to think of some way to provide some level of copy protection
without paying $3 per license. My software cost will be more like expensive
shareware and the expensive copy protection is beyond my budget.
I asked becuse I feared the answers you guys are giving me.
So, now I am thinking more of the hashcode approach.
Thanks,
Bob
"John Davison" wrote:
Steven Cheng[MSFT] wrote:
If both of them are stored in your application's executable file
or assemly only, it is surely possible that some cracker will decrypte your
key info from your assembly or executable. So generally we'll separate the
keyinfo from our encryption program , for example, store in registry key or
database which can be protected by Access control or authentication.
I'm not sure what the point of this would be. The program will still
need to read the key, be it from the assembly, registry or database. If
credentials are required without user intervention, those credentials
will still need to be stored somewhere, which defeats the purpose. If
user intervention is required, then why not just ask for the password to
decrypt the key?
If the point of the encryption is to prevent the user of the software
from accessing files distributed with the application, then the original
poster needs to say so and realize the futility of it.
John
Bob,
There is no such thing as true copy protection.
John
And I thought the news about Santa Clause was the last traumatic event of my
life!!
"John Davison" wrote: B Maxey wrote: I'm trying to think of some way to provide some level of copy protection
without paying $3 per license. My software cost will be more like expensive
shareware and the expensive copy protection is beyond my budget.
I asked becuse I feared the answers you guys are giving me.
So, now I am thinking more of the hashcode approach.
Thanks,
Bob
"John Davison" wrote:
Steven Cheng[MSFT] wrote:
If both of them are stored in your application's executable file
or assemly only, it is surely possible that some cracker will decrypte your
key info from your assembly or executable. So generally we'll separate the
keyinfo from our encryption program , for example, store in registry key or
database which can be protected by Access control or authentication.
I'm not sure what the point of this would be. The program will still
need to read the key, be it from the assembly, registry or database. If
credentials are required without user intervention, those credentials
will still need to be stored somewhere, which defeats the purpose. If
user intervention is required, then why not just ask for the password to
decrypt the key?
If the point of the encryption is to prevent the user of the software
from accessing files distributed with the application, then the original
poster needs to say so and realize the futility of it.
John
Bob,
There is no such thing as true copy protection.
John
Hi Bob,
Thanks for the followup.
Don't be too worry, since there is actually no 100% secured
system/application, what we need to do is just providing security
protection as much as possible. If anyone keep interesting in your program,
there is no perfect means to prevent them as long as our application is
deployed at clientside. How do you think so?
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: David |
last post by:
Hope someone can help or have a free control. I am going to be passing
data from a client computer to a server via a winsock control. I want
to encrypt/decript the contents of the string that is...
|
by: Blake T. Garretson |
last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to
disk in a secure manner in one of my programs. What is the
easiest/best way to accomplish strong file encryption in Python? ...
|
by: Ray Cassick \(Home\) |
last post by:
Ok, time to ask the question here.. I have been battling over this one for
sometime now and just have to ask it.
I have created a few classes that I use to act a security keys. These
classes get...
|
by: B Maxey |
last post by:
I have been working with encryption. And it seems to me that the IV and Key
are the only things you need to decrypt my data.
I can obfuscate, but my program still needs to 'call' the framework...
|
by: BrianJones |
last post by:
I'm currently writing an encryption program designed to read in a file (and
encrypt it) by splitting it in to 128 byte block segments and encrypting
each segment iteratively. The problem is is that...
|
by: Bonj |
last post by:
I was in need of an encryption algorithm to the following requirements:
1) Must be capable of encrypting strings to a byte array, and decyrpting
back again to the same string
2) Must have the same...
|
by: Anon |
last post by:
I made this class to encrypt my DataSet before saving it
to disk. So, first in the main program I write the
DataSet to XML in a MemoryStream. I pass this stream to
the E_File sub, which encrypts...
|
by: per9000 |
last post by:
Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.
So I...
|
by: John Williams |
last post by:
I've written a simple program to do XOR encryption as my first foray
into understanding how encryption works. The code compiles fine, however
it segmentation faults on every run. using gdb to...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
