Where to hide the key

**bbUFO** · Aug 12th, 2000, 06:07 PM

Ok, I got a 'good' algorithm for encryption. But where is the good place to store the encrytion KEY?

I have 3 ideas, but they seems not so good, anyone have other idea?

If store it with the encrypt data or in a file, so whoever get the data or file can decrtypt it. this is not safe.
If store it in Windows Registery, than user will lost the key if he/she reinstall Windows.
If use the user's password as the key, it need to re-en/decrypt all the data every time user change password.

**gwdash** · Aug 12th, 2000, 06:11 PM

The registry is the most common. If they re-install windows, they re-install your program, thus the key gets put back in the Registry, right? How often do you re-install windows, anyway!

**gwdash** · Aug 12th, 2000, 06:12 PM

or you could hard code it in, unless it will change

Aug 12th, 2000, 06:40 PM

For this program, the author claims you can hide strings or anything in the exe itself. Here is the program: Active Self-Extract

**bbUFO** · Aug 12th, 2000, 07:06 PM

gwdash, hard code is what I always want to do. But if other people get my program and the data file, they can also decrypt it as well.

**Sam Finch** · Aug 12th, 2000, 07:24 PM

well should you really include the key anywhere, the Idea of encryption is to restrict access of the file to a select group of people, why don't you just tell them the key?

If you have a house you don't leave the key under the doormat or in the door because then what is the point of having a key, only people who have access to the house are given the key.

**gwdash** · Aug 12th, 2000, 07:25 PM

i see what you mean now, i'm not an expert, but i understand your point, Somewhat

**bbUFO** · Aug 12th, 2000, 07:31 PM

Sam Finch, that's what I meant. So what should I do to hide the Key?

**Sam Finch** · Aug 12th, 2000, 07:39 PM

I meant actually tell them, using your voice, or send them a letter or something, no hacker is going to be able to find the key if it's just stored in their head, you can change the key as much as you like by telling them again or sending another letter, or even an email, but that's slightly less secure. you don't have to change the key every message, even once a month is pretty failsafe.

Aug 12th, 2000, 07:48 PM

Another appraoch is, like you mentioned, hiding it in the Registry. Hide it among the common serial numbers such as {4JGF984NG-GF0843HGNF-45T0895NG-394Y3209NV}.

**bbUFO** · Aug 12th, 2000, 11:30 PM

This is a great idea. Use the software serialno as key! I just need to generate unique serial number for each copy of my applications, so nobody else can crack the data without the orginal serialno.

Aug 13th, 2000, 05:23 AM

perhaps yo could generate a registration code from the user's PC hard disk Serial number, this will change even between formatting episodes!

Aug 13th, 2000, 09:13 AM

There is a lot of OS Info (Serial number, ProductID, Username, Organization etc.) found in the following registry path.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

**bbUFO** · Aug 13th, 2000, 12:41 PM

Alright! But how to access this registry from VB6?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Is it the same for WindowsNT,2000 and 9x?

[Edited by bbUFO on 08-13-2000 at 01:44 PM]

**REM** · Aug 13th, 2000, 12:50 PM

Instead of storing one registry entry, store lots all around the registy, and do a check to see if any one of them has been tampered with. If it has, then the program doesn't run. This would make it a lot harder for a user to search the regsitry and find the single encryption key in the registry.

Just an idea.

Later

REM

Thread: Where to hide the key

Thread Tools

Display

Try this

Posting Permissions