|
My dll file contains private key value. I used this key for encryption. How can I hide this key. If I use Reflector or other tool so show my code. I think obfuscation or post-build not guarantee hide my key value. I use strong key but, it can be remove using with Reflector plug-in. I add dll to GAC but, it easly to steal (Start --> Run ---> C:\windows\assembly\gac_msil).
Do you have any idea?
Best Regards...
|
|
|
|
|
hmmm. not quite sure. but i have just thought of something (maybe a little crazy but hey)
What about writting a small hardcoded algorithm that rearanges the key before using it for decryption/encryption? that way the stored 'key string' cannot be directly used by anybody else. unless of course they can get hold of your hardcoded algorithm. but that is harder than just getting the string, is it not?
instead of your own algorithm, maybe you could just use a hash value of the original key
What you think?
Life goes very fast. Tomorrow, today is already yesterday.
|
|
|
|
|
Dear Musefan;
First of all thanks for care. I have a algorithm like blowfish. I already written hardcoded this algorithm. But most important of this algorithmts need a key. This enuqe key is most important for this algorithm and it will be hide.
Thanks...
|
|
|
|
|
One thing Reflector doesn't show (AFAIK) is class-level fields. Since Reflector treats a const like a field, just put your key in a class-level static const. It can still be retrieved using custom-tailored reflection code, but it should deter casual hackers. I've done this in a private application, which uses a 256-length byte array to encrypt passwords; I couldn't retrieve the value using Reflector
|
|
|
|
|
Which program did you use for ? How can I put my key in a class-level static const.
Dotfuscator Community Edition is not convert variables.
Best Regards...
|
|
|
|
|
I didn't. However, on further analysis it turns out that the value is set from the static constructor of the class. Although it puts off casual crackers, it will not dissuade those who are determined to get the value. By class-level static const, I mean something like this:
internal class Program
{
internal static const string mySecretPassword = "Lorem";
}
However, it cannot compensate for a good obfuscation system and cannot stand on its own
modified on Wednesday, March 11, 2009 12:42 PM
|
|
|
|
|
In your sample not include identifier (for example string), so compiler get error. I try this;
internal class MyClass
{
internal static readonly string mySecretPassword1 = "MySecretKey";
private static readonly string mySecretPassword2 = "MySecretKey";
private const string mySecretPassword3 = "MySecretKey";
internal const string mySecretPassword4 = "MySecretKey";
private static string mySecretPassword5 = "MySecretKey";
internal static string mySecretPassword6 = "MySecretKey";
}
And obfuscation with Dotfuscator Community Edition and Salamander .NET obfuscator. And post build with Xenocode Postbuild 2008 for .NET. But I can see "MySecretKey" when I open obfuscated dll with reflector. In ".cctor()" function.
Note: In C#.NET
const = value assigned at Compile time and unchangeable once established.
readonly = value assigned at run time and unchangeable once established.
|
|
|
|
|
Whoops; I've added string to the code sample. As I said, all that my method does is hide it from a cursory look. It cannot compensate for a dedicated obfuscation package. I have chosen the const keyword because it simply provides safety in case I ever go past the ballmer peak and change its value; my choice was quite deliberate
|
|
|
|
|
A decent obfuscation tool (NOT the one that comes with Visual Studio) will encrypt strings so reflector doesn't show anything useful.
"Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997 ----- "...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001
|
|
|
|
|
Which one is better;
Dotfuscator Professional (preemptive)
Salamander .NET obfuscator (remotesoft)
And what is your think about post-build? Do you use Xenocode Postbuild?
Best Regards...
|
|
|
|
|
You're planning to combine relatively insecure ways to hide a key with a very strong encryption algorithm? That strikes me as odd - it's a bit like having 10 locks on your door but putting the key under the doormat.
|
|
|
|
|
I second this comment!
"we must lose precision to make significant statements about complex systems."
-deKorvin on uncertainty
|
|
|
|
|
Good call.
If you were using crypto appropriately, then you wouldnt need to hide the key that the user is going to use.
Alice can't send a secret message to Bob and then have Bob read it sometimes, but not other times. Maths doesnt work that way...
|
|
|
|
|
Ok. How can I Blowfish, Twofish or AES algorithims in ASP.NET project. All of them needs private key.
|
|
|
|
|
You can use them, but you should only use them to encrypt a communication channel. Anything else is not "encryptable" - you may try but it still won't be safe, no matter what.
|
|
|
|
|
Could you explain "encrypt a communication channel"? Is it means SSL certificiate installed and configured server?
|
|
|
|
|
Actually it's more like a fundamental theory in crypto.
Yes SSL "works", because it encrypts traffic between two computers, and that's a communication channel.
Encrypting a communication channel just means that there are 2 parties involved and they can talk to each other, but anyone else who happens to be listening only receives a garbled mess.
Encryption of data only works if the key is guaranteed not to fall into the wrong hands. This guarantee is what makes it impossible, because it means you can't tell to key to anyone, including the program that you want to decrypt the data. This is why passwords don't "work" - they can be stolen (key loggers, fake websites, phishing emails etc). If "the wrong hands" includes the person using the program, obviously the program should not have the key, because no matter what trickery you use the key will at some point be available to the program and thus also to the person operating the computer.
So what I hope, is that you only want to keep the data a secret from "others" - for example other people on the network (LAN/WAN whatever) who could overhear the communication between your site (it's a site right?) and a user. SSL does this, but you could use other algorithms as well (if the client allows it, if it's a program you control you could use anything you want). If the algorithm you want to use is not a public key algorithm you could use something like the Diffie-Hellman exchange to effectively turn it into a public key algorithm.
ps: please do not sue me if you find any errors in what I just said
|
|
|
|
|
I am having a little issue that I figured Microsoft would of changed.
So I am trying to do my reports, which I can only figure out how to do with Datasets. I typically do not use datasets and do everything by writing the code when connecting, and retrieving/insertings information into a database.
So anyways, I am storing everything in the applications settings. Before inserting the information I am encrypting the words so you cannot read it in the XML file. One problem I am having though is that you cannot write a connectionstring. It is readonly?!?
So how do I do these reports (Microsoft reports) without using Datasets?
|
|
|
|
|
well,
what visual studio does when storing connection strings is, it only codes the get method of the "connection string" property. this is an auto generated code,you will find it in a file called "Settings.Designer.cs"
you will find a code roughly like this
<br />
[global::System.Configuration.ApplicationScopedSettingAttribute()]<br />
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]<br />
[global::System.Configuration.SpecialSettingAttribute(global::System.Configuration.SpecialSetting.ConnectionString)]<br />
[global::System.Configuration.DefaultSettingValueAttribute("Default Connetction string")]<br />
public string Setting {<br />
get {<br />
return ((string)(this["Setting"]));<br />
}<br />
set<br />
{<br />
this["Setting"] = value;<br />
}<br />
}<br />
delete the default connection string and assign it before trying to fill the dataset
hope it works for you,
|
|
|
|
|
Sweet that looks like exactly what I needed! Thanks!
|
|
|
|
|
how do we make a network in graph topology.
|
|
|
|
|
I have no idea what you are on about. Is this a network related question by any chance. i.e. wrong forum?
Life goes very fast. Tomorrow, today is already yesterday.
|
|
|
|
|
Hi. Until now, I've been working only in C#, but only Web Sites. Now I tried to make something in C# for Applications and I have this problem: when you make Web Sites, you have DropDownList. In the dropdownlist I can assign a value to each member from the list and get it later with
DropDownList1.SelectedItem.Value; With the combobox in applications I don't have the same value option. When I write
comboBox1.SelectedItem I don't have the option to retrieve or to assign a value to the item I'm putting in the list.
I need this option for working with databases, because I fill the combobox from a database, and I want the value of the items to be the ID assigned in the database. I use Visual Studio 2008.
|
|
|
|
|
comboBox1.SelectedValue and you have to use DataSource , DisplayMember and ValueMember .
TVMU^P[[IGIOQHG^JSH`A#@`RFJ\c^JPL>;"[,*/|+&WLEZGc`AFXc!L
%^]*IRXD#@GKCQ`R\^SF_WcHbORY87֦ʻ6ϣN8ȤBcRAV\Z^&SU~%CSWQ@#2
W_AD`EPABIKRDFVS)EVLQK)JKSQXUFYK[M`UKs*$GwU#(QDXBER@CBN%
Rs0~53%eYrd8mt^7Z6]iTF+(EWfJ9zaK-iTV.C\y<pjxsg-b$f4ia>
--------------------------------------------------------
128 bit encrypted signature, crack if you can
|
|
|
|
|
I have a list view with 3 columns and I want to display an image in 3rd column during run time.
I've not find any direct method to do this, Then I approached DrawSubItem event. But I am not able to achieve my requirement as it is continuosly paiting.
I think I need to go for customization. But I am new to C# and I am in need of somebody's help.
Can anyone please help me in getting the solution?
|
|
|
|