A few observations/thoughts in no particular order: If you make it secure by being obscure, all you really do is fool yourself into thinking it is secure and have no way to work out when it has been broken.
If you use one secret for all instances/installs, then they are all broken the moment one is broken. If you generate a key per install via registration which you check later, you will then have the overhead of keeping these safe and secure. there is no way of securing software from reverse engineering by a talented enough hacker who has control of the machine, but you can limit the damage to just that machine with a per install/registration key that uses host computer information to generate it, but then you are into a whole world of privacy pain if it is personally identifiable information. Also if it is a licence key, then it is possible to change the calls that do the checks anyway. Once it is on their machine , it is "0wned" totally by them :) security is about balancing the cost of implementing and maintaining security measures vs. the cost of someone exploiting that which you are trying to protect, which is why there is no straight answer. But there are standard counter measures to the different types of threat. Bottom line: if it has to be 100% secure, don't write it. if it has to be reasonably secure, threat model the app, use standard counter measures, detection and reaction; if it is an ongoing product, continuously review it. That way you can work out what "reasonably" is. The book "security development lifecycle" [1] has some threat model trees and the counter measures to go with them and makes a good staring point. If anything more than security by obfuscation is to expensive, your app will not be secure and didn't need to be anyway, just harder to reverse engineer. and Frans is right, a shared secret is no secret at all (especially if the other person writes it down!) :) HTH James [1] http://www.microsoft.com/mspress/books/8753.aspx =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
