Reputation: 662
Obfuscating decryption key stored in source code
I want to ship out a file along with my software whose contents need to be hidden from my software's users (online authentication is not possible since the software needs to be executable offfline). The way I do this is by encrypting the file using AES-256 and then storing the encryption key in the source file. As it turns out though, it's dead easy to recover this key from the compiled executable since the entire string is just lying in a continuous block. The following Python code finds the key:
with open("/path/to/executable", 'rb') as readfile:
content = readfile.read()
to_find = 'C0SH3VKNTKR4CRGH0R8WXD9WR5I1GS' # example key
for i in range(len(content) - len(to_find)):
substr = content[i:i + len(to_find)]
if substr == to_find:
print "Found at index %d" % i
Of course, as an attacker I wouldn't know what I'm searching for. But one could easily infer the desired format of the decrypted file by looking at the shared libraries which the executable depends on (those libraries are open source, and the format of the decrypted file is also a widely used standard). So basically, one could just slide a 30-character long window over the binary content that makes up the executable, decrypt the file using each string, and then check if it can be correctly parsed.
I know that it is impossible to completely secure the key if it is present in the source code in some format, but what are some typical techniques that could be used to make an attacker's life harder in this situation?
The obvious solution that comes to mind is to split key into multiple substrings and scatter them throughout the code, or to insert dummy characters in the middle of the string, but I have zero knowledge in software security so it'd be nice to hear other suggestions.
Upvotes: 5
Views: 3093
Answers (2)
Reputation: 78905
There is an entire research field for this called white box cryptography. Just google for it.
One of the options is to use a white box cryptography code generator for AES. Given a secret key, it will generate source code that implements AES or part of AES for this particular key. The key is indirectly embedded in the code. It's not explicitly stored.
It seems that the Whitebox-crypto-AES is such a code generator. I've never used it. Give it a try...
Upvotes: 7
Reputation: 3272
If you are using DotNet Technology ( MS .Net or DotNet Core ) you can secure such keys using DPAPI .
Essentially you use a Key Derivation approach to derive / generate a Key on first use and then secure the Key in registry or file using DPAPI .
Upvotes: -1
Related Questions
- How to encrypt c# code so that it wont be easy to decompile and read
- How do you hide secret keys in code?
- Java decryption on an app, decompiled source code
- Encrypting a .NET application
- Hiding the source code in .jar files
- Obfusticating License key which is hardcoded
- How do you hide an encryption key in a .NET application?
- How to obfuscate key for encryption function?
- How secure is it to store an encryption key in source code?
- How to protect decryption key from decompilation?