Girish, For your own fun, even Obfuscation, sending the data back and forth to the server and other tricks can't really do it if the key is part of the app and used actively in the application. Just try a tool like Hawkeye (http://www.acorns.com.au/hawkeye) over your running application to see how much time do you need to find the key pair. 1-2 or 5 minutes?
My primary question is: Whom are you trying to protect from? The user, other users with read access on the same machine or malicious application (eg: malware, spyware?). In the first scenario it's a no brainer. There is no true way of protecting. For all the other scenarios the best protection you could achieve is to ask the user for a password, then use a one way algorithm together with some random key (that you save) to generate a the key that you use to encrypt/decrypt. If the user forgot the pass, then simply bad luck, there is no way back. Alternatively you could use the registry to keep a unique key you generated at installation or a key based on a user password. The registry at least is safe from other users. Regards, Corneliu I. Tusnea Readify | Senior Consultant M: +61 410 835 593 | C: [EMAIL PROTECTED] -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Dave Sent: Tuesday, 3 April 2007 11:58 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code Ahh, hiding the private key...... :-) Obfuscation is great, but by definition, it does not change the semantics, it just messes the code around. Private keys are pure binary data, so they cannot be changed by a bit without changing their "meaning". Then you end up wanting to encrypt the private key, but that's not a perfect solution, as you still have another private key to hide. One solution is to obfuscate the code that **generates** the private key with a well-known logic. Another one would be to simply create a web service that decrypts the data (or sends the key), over ssl, asking for a username-password from your user. In all cases, you must remember that: The most private keys you publish around, the less private they become. No matter the solution you choose you hide it from the very same client that will ultimately use it... Good luck! Dave. www.omniscient.ca www.omniscienttrader.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Wildermuth (MVP) Sent: April 3, 2007 6:18 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code I think you'll have better luck with Obfuscation. I haven't done it before and I am sure others can suggestion their favorites, but Brent Rector is a super bright guy so I usually recommend Demeanor (http://wiseowl.com) ... but I don't know the pros and cons. Thanks, Shawn Wildermuth http://adoguy.com http://wildermuthconsulting.com Microsoft MVP (C#), MCSD.NET, Author and Speaker -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Girish Jain Sent: Tuesday, April 03, 2007 4:42 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: [ADVANCED-DOTNET] Confidential Data from Source Code Hi All, I need suggestion from all the experts for a concern of mine. I am working on a windows forms app and we need to encrypt certain data and store it on a local file. The key used for encrypting or decrypting certain confidential data (which is finally written to a file) is there in the source code itself. When we deploy our applications the source code can be easily opened up using ildasm or Reflector. It means somebody can comfortably extract out the key used for encrypting the strings. How can I prevent this? I had heard of something called native code deployment using ngen.exe which I have no idea about or its pros and cons. Can someone please suggest as to how should I go about implementing this so that after deploying the application nobody can extract the source code? Thanks in advance Cheers, Girish Jain _________________________________________________________________ Get the new Windows Live Messenger! http://get.live.com/messenger/overview =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
