On 4/3/07, Girish Jain <[EMAIL PROTECTED]> wrote:
I need suggestion from all the experts for a concern of mine. I am working on a windows forms app and we need to encrypt certain data and store it on a local file. The key used for encrypting or decrypting certain confidential data (which is finally written to a file) is there in the source code itself. When we deploy our applications the source code can be easily opened up using ildasm or Reflector. It means somebody can comfortably extract out the key used for encrypting the strings. How can I prevent this?
The best you can do is obfuscation. When you ngen an assembly, you still need to deploy the original assembly because all the metadata still needs to be available. However, you're doing this the wrong way. Any time you embed a crypto key in a binary, it is always easy to recover that key. It makes no difference whether your binary is native code or obfuscated. If you are merely trying to obfuscate the data in the file, then fine. If the data in the file really needs to be protected, then you need to do better. Some ideas would be to use DPAPI (System.Security.Cryptography.ProtectedMemory) user-level encryption or ask the user for a password and derive a key from the password. -- Steve Johnson =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
