How do you hide an encryption key in a .NET application?

后端 未结 3 725
余生分开走
余生分开走 2021-01-11 12:33

I\'m developing an intranet application (C#) that uses some data (local to the web server) that we\'d like to keep private. This data is encrypted (AES) using a legacy data

相关标签:
3条回答
  • 2021-01-11 13:06

    If somebody can just attach a debugger to your program, there is absolutely nothing you can do. They won't have to figure out your config, disassemble your app, etc. All they have to do is run the app - watch it use the key - bingo.

    Obfuscation is of no help under those conditions.

    The best defense is to use hardware to protect the key - which will do the crypto but not give out the key itself (and is sometimes hardened against attacks such as probing the wires, exposing the memory to low temperatures/radiation/other novel stuff). IBM do some appropriate stuff (google IBM-4764) but it's not cheap.

    0 讨论(0)
  • 2021-01-11 13:19

    Speaking in obfuscation terminology, what you are after is called constant hiding, i.e. a means by which you transform a constant into, say, a number of functions and calculations that are executed at runtime to re-materialize said constant.

    This still falls within the domain of obfuscation, however, and is susceptible to either code extraction, where the attacker simply maps out the code relevant to this constant, and runs it in a separate application to retrieve the value; or dumping the application's memory at the right point in order to scan it for the desired value.

    There is another, slightly more advanced method of hiding crypto keys in particular, called White-box cryptography, which employs key-less ciphers through essentially generating a cipher function from a given key, baking them together. As the name suggests, this method has been devised to be resilient even in a white-box attack scenario (the attacker has access to the bytecode and is able to inspect and manipulate the executable at runtime).

    These are both quite advanced methods of achieving security through obscurity, and it might be worth considering alternative models which do not force you to do this in the first place.

    0 讨论(0)
  • 2021-01-11 13:27

    Encryption is built into the .NET configuration system. You can encrypt chunks of your app/web.config file, including where you store your private key.

    http://www.dotnetprofessional.com/blog/post/2008/03/03/Encrypt-sections-of-WebConfig-or-AppConfig.aspx

    0 讨论(0)
提交回复
热议问题