|
-
Feb 25th, 2003, 06:48 PM
#1
Thread Starter
Addicted Member
CryptoAPI and protecting it's key
I have a pretty good understanding of how the cryptoAPI works and the uses, however, I'm quite confused as to how one would secure it.
I am planning on using the crypto API to do basic file content encryption. Obviously, if a "hacker" gets ahold of the txt file, it's pretty difficult to break the encryption and grab the contents. Most people, "type" a secret password to decrypt the file....not so in my case!
In my app, the key will HAVE to be stored in the executable. This presents a few problems. Once I call the "Decrypt" function, any half-ass cracker, will check the stack contents and snag the key.
I want to prevent this or at least make it much more difficult. I will certainly use the usual techniques to twart crackers (packed exe, debugger checks) but how can I better prevent this type of stack attack?
One thought I had was to just write my own stupid algorithm that attempts to hide\play with the decryption key as much as possible. But I would deffinatly prefer to use one of the API's algo's.
Any suggestions?
Thanks
Phil
-
Feb 25th, 2003, 09:19 PM
#2
Hyperactive Member
they will always find a way, just make it so no noobs dont crack it
I know a lot oF Vb, expert in C++, and i think in assembly.
MSVC++6.NET
vb6
masm
Windowz Xp
I find my self using this a lot in C++
__asm {
}
-
Feb 26th, 2003, 04:49 PM
#3
As parksie says: security through obscurity is no security.
As long as the key is stored in any form in your exe or some place your exe can access, a hacker can access it too.
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Feb 26th, 2003, 08:15 PM
#4
Thread Starter
Addicted Member
Yeah, i'm fully aware of the "un-winnable battle", however, as a programmer...I can certainly make it more difficult and discouraging as possible.
I've been reading up on the CryptoAPI or what little information on it is available, and best I can tell there IS something that can be used to help protect the key. I really don't understand the some of the terminology used, but encrypted key blobs may be my answer. Sure wish there was better documentation for this!
Since my software is directly used with a USB hardare device, my hardware can incorporate some of the "authenticating" as well as some more tricks I can use.
Oh well, I guess I'll figure out how to prevent the crypto provider routines from reliance on a static key.
If anybody has any further suggestions, reading material, or anything that may help...i'm all ears (or eyes).
Phil
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|