3

In my project (windows desktop application) I use symmetric key in order to encrypt/decrypt some configurations that need to be protected. The key is hardcoded in my code (C++).

  1. What are the risks that my key will be exposed by reverse engineering ? (the customers will receive the compiled DLL only)
  2. Is there a way for better security for managing the key?
  3. Are there open source or commercial products which I can use
pattivacek
  • 5,617
  • 5
  • 48
  • 62
Denisdillo
  • 31
  • 1
  • 2
    It sounds like you currently have no security at all, not really. If the key is there in plain sight (to someone with a hex reader) then it is there in plain sight (albeit requiring some detective work with a disassembler, or trial and error, to find which group of bytes is the key). – John Coleman Feb 13 '17 at 14:33
  • @JohnColeman Yes there is security, security against an ordinary users. Security is directed against a defined attacker, not 100% of possible attackers, that is unattainable. – zaph Feb 13 '17 at 14:51
  • @Denisdillo Define the attacker, what level of skill and capabilities–a curious teen to a well funded government. Define the value in monetary units. Define the cost of a successful attack. Define the device, a Windows 95 computer, an iOS device, an Android device, etc because there is built-in security at some level for each. Protecting from the device owner is almost impossible and the solution is generally DRM which generally requires a server. – zaph Feb 13 '17 at 14:55
  • @zaph Good point, although I would phrase it that if the only thing you are worried about are casual users who might have a bit of idle curiosity and there are no genuine risks then you don't need real security and can get by with a certain amount of obscurity-based pseudo-security. – John Coleman Feb 13 '17 at 14:58
  • Does the key have to be symmetric? This seems like a good use for an asymmetric key in which the public key is embedded in the application and only you (or whoever the intended recipient is) have the private key. For your application to decrypt your messages, though, they'd have to generate a private key and send you the public key to encrypt your messages. – pattivacek Feb 13 '17 at 22:51
  • @zaph oops, you're right. I misread "configuration" as "communication". Now I'm a bit confused what about these configurations needs to be encrypted. – pattivacek Feb 14 '17 at 14:16

2 Answers2

3

Windows provides a key storage mechanism as part of the Crypto API. This would only be useful for you if you have your code generate a unique random key for each user. If you are using a single key for installations for all users, it will obviously have to be in your code (or be derived from constants that are in your code), and thus couldn't really be secure.

Richard Schwartz
  • 14,463
  • 2
  • 23
  • 41
  • 1
    A good practice but note: It is still not secure against the device owner. – zaph Feb 13 '17 at 16:02
  • 2
    Yes, I know. A respected security professional once told me "We can't protect against unknown threats or against the known threat of an untrustworthy but authorized end-user". – Richard Schwartz Feb 13 '17 at 17:29
2

What are the risks that my key will be exposed by reverse engineering ? (the customers will receive the compiled DLL only)

100%. Assuming of course that the key protects something useful and interesting. If it doesn't, then lower.

Is there a way for better security for managing the key?

There's no security tool you could use, but there are obfuscation and DRM tools (which are a different problem than security). Any approach you use will need to be updated regularly to deal with new attacks that defeat your old approach. But fundamentally this is the same as DRM for music or video or games or whatever. I would shop around. Anything worthwhile will be regularly updated, and likely somewhat pricey.

Are there open source or commercial products which I can use

Open source solutions for this particular problem are... probably unhelpful. The whole point of DRM is obfuscation (making things confusing and hidden rather than secure). If you share "the secret sauce" then you lose the protection. This is how DRM differs from security. In security, I can tell you everything but the secret, and it's still secure. But DRM, I have to hide everything. That said, I'm sure there are some open source tools that try. There are open source obfuscation tools that try to make it hard to debug the binary by scrambling identifiers and the like, but if there's just one small piece of information that's needed (the configuration), it's hard to obfuscate that sufficiently.

If you need this, you'll likely want a commercial solution, which will be imperfect and likely require patching as it's broken (again, assuming that it protects something that anyone really cares about). Recommending specific solutions is off-topic for Stack Overflow, but google can help you. There are some things specific for Windows that may help, but it depends on your exact requirements.

Keep in mind that the "attacker" (it's hard to consider an authorized user an "attacker") doesn't have to actually get your keys. They just have to wait until your program decrypts the configurations, and then read the configurations out of memory. So you'll need obfuscation around that as well. It's a never-ending battle that you'll have to decide how hard you want to fight.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610