Girish, You still haven't replied to my original question: - From whom are you trying to protect? The user of the app? You want to protect that the user is not decompiling your application, getting that private key out, generating a new key for the application and using that key without your knowledge?
Regards, Corneliu I. Tusnea Readify | Senior Consultant M: +61 410 835 593 | C: [EMAIL PROTECTED] -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Girish Jain Sent: Wednesday, 4 April 2007 1:52 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code Hi Corneliu, Basically, we are trying to protect our application from piracy. Its a file which would be created at the installation of the application and thereafter would be read on each startup of the application. The file would be created for that particular machine and will have some entries into it (of course encrypted!). The application which creates this file would be **manually** run on the target machine to produce the file. Each installation of the app would be manual. Now, if we have the key to decrypt the file into source code, its easy to break it. Therefore, do you have any better idea for achieving the same? Thanks for taking time out to reply on this one... Cheers, Girish Jain> Date: Wed, 4 Apr 2007 00:18:30 +1000> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > Girish,> > For your own fun, even Obfuscation, sending the data back and forth to> the server and other tricks can't really do it if the key is part of the> app and used actively in the application. Just try a tool like Hawkeye> (http://www.acorns.com.au/hawkeye) over your running application to see> how much time do you need to find the key pair. 1-2 or 5 minutes?> > My primary question is: Whom are you trying to protect from? The user,> other users with read access on the same machine or malicious> application (eg: malware, spyware?). In the first scenario it's a no> brainer. There is no true way of protecting.> For all the other scenarios the best protection you could achieve is to> ask the user for a password, then use a one way algorithm together with> some random key (that you save) to generate a the key that you use to> encrypt/decrypt. If the user forgot the pass, then simply bad luck,> there is no way back. Alternatively you could use the registry to keep a> unique key you generated at installation or a key based on a user> password. The registry at least is safe from other users.> > > Regards,> > Corneliu I. Tusnea> Readify | Senior Consultant> > M: +61 410 835 593 | C: [EMAIL PROTECTED]> > > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED] On Behalf Of Dave> Sent: Tuesday, 3 April 2007 11:58 PM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> > Ahh, hiding the private key...... :-)> > Obfuscation is great, but by definition, it does not change the> semantics,> it just messes the code around. Private keys are pure binary data, so> they> cannot be changed by a bit without changing their "meaning". Then you> end> up wanting to encrypt the private key, but that's not a perfect> solution, as> you still have another private key to hide.> > One solution is to obfuscate the code that **generates** the private key> with a well-known logic. Another one would be to simply create a web> service that decrypts the data (or sends the key), over ssl, asking for> a> username-password from your user.> > In all cases, you must remember that: The most private keys you publish> around, the less private they become. No matter the solution you choose> you> hide it from the very same client that will ultimately use it...> > Good luck!> Dave.> www.omniscient.ca> www.omniscienttrader.com> > > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED] On Behalf Of Shawn> Wildermuth> (MVP)> Sent: April 3, 2007 6:18 AM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> > I think you'll have better luck with Obfuscation. I haven't done it> before> and I am sure others can suggestion their favorites, but Brent Rector is> a> super bright guy so I usually recommend Demeanor (http://wiseowl.com)> ...> but I don't know the pros and cons.> > Thanks,> > Shawn Wildermuth> http://adoguy.com> http://wildermuthconsulting.com> Microsoft MVP (C#), MCSD.NET, Author and Speaker> > > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED] =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
