9

Given that a C# assembly can be easily reverse engineered using reflector, where should I store my sensitive data when compiling an assembly in C#?

I have a X509certificate embedded in my C# assembly in which I need to store the password when accessing the certificate! Now where should I store the certificate password?

Sepehr
  • 158
  • 6
  • 21
    You can't. Anything that your code can access, the user can also access. – SLaks Jan 23 '13 at 22:49
  • Encryption would be your only option: http://support.microsoft.com/kb/316898 But ultimately, nothing is secure. – Botonomous Jan 23 '13 at 22:50
  • Keep you sensitive data in protected (encrypted) mode. – Hamlet Hakobyan Jan 23 '13 at 22:50
  • any other solutions? an unmanaged library maybe? – Sepehr Jan 23 '13 at 22:50
  • 1
    You can encrypt part of your app.config file: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx – itsme86 Jan 23 '13 at 22:52
  • The consensus is that it can't be done. See [here](http://stackoverflow.com/questions/7073110/could-i-hide-the-encryption-key-of-a-c-sharp-exe-securely-in-a-way-that-cant-b/7073162#7073162) and [here](http://stackoverflow.com/questions/33288/protecting-api-secret-keys-in-a-thick-client-application). – HABO Jan 23 '13 at 22:59
  • @Anon: Encryption doesn't help in the slightest. – SLaks Jan 23 '13 at 23:01
  • 1
    @Sepehr: No. The user has complete control over anything running on his machine. – SLaks Jan 23 '13 at 23:02
  • The best I've used is Secure Team (http://www.secureteam.net/NET-Obfuscator-Features.aspx) but its not cheap. – Jason Haley Jan 25 '13 at 00:56

1 Answers1

4

If you don't mind shelling out some cash, you could take a look at Eazfuscator

The vendor claims to offer Code virtualization, string encryption among other features.

If his claims are valid, this might be what you need.

They have a trial, so i guess it can't hurt to try it out.

scartag
  • 17,548
  • 3
  • 48
  • 52