N. Coesel wrote:
N. Coesel wrote:
At 15:40 17-11-2009 -0700, you wrote:
On Tuesday 17 November 2009 15:33:24 Nico Coesel wrote:
Why is your flash programming routine so large? Only the part that does
the
actual flash programming has to be in ram. This is just a few lines of
code. Perhaps you need to split the function in a part that stays in
flash
and a small part that does the actual programming.
It's a field update for client-confidential code. The final decryption
stage
is done in the programming function.
I would split that function. There is no reason to decrypt from ram.
Agreed.
Actually, it is better to divide security sensitive code in several
functions linked in random order. It makes it more difficult to follow.
The old "security by obscurity" trick, that has /such/ a good reputation?
Any means of security is security by obscurity by definition. All
protections schemes come down to hiding a secret (obscurity). Whether its a
key, a secret algorithm, etc.
The phrase "security by obscurity" is normally taken to mean "security
by hiding the way it works", i.e., trying to hide the code or algorithm.
You'll find plenty of hits on google for that phrase, with very few
in support of it.
Make sure your algorithm is secure enough under the assumption that
/they/ do not have the key, but that /they/ do have the code - these are
fair assumptions for any serious attack. Then protect the key. Any
effort in obfusticating the code or algorithm is at best wasted, and
typically counter-productive as it makes it harder to use well-tested code.
There is no need to try to "protect" your security code in this way.
You can assume that anyone capable enough and determined enough to break
the microcontroller's flash read blocks, dig out your code, and
disassemble it, is capable of following the code through a convoluted
execution path. The only person that suffers, is the poor sod that must
test, debug and maintain the obfusticated code.
You could have several seperate C files for several functions. Hash.c,
decrypt.c, encrypt.c. No problem at all to maintain.
Nico Coesel
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
