Re: Embed username/password/etc. in exe at install time.
- From: "Nicholas Paldino [.NET/C# MVP]" <mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Jan 2008 11:52:10 -0500
I was going to say, if they are REALLY going to go down this route, at
least make it harder to get the key from the binary. Don't use managed
code. Write a small native DLL which will generate the encryption key based
on items in the DLL. For example, don't use a constant compiled into the
dll, as that can be pulled out from the .data section of the dll, but
rather, use a bunch of method calls which will cause transformations on data
which will generate the key ultimately.
It's really another layer of indirection, but it's not as easy as
running Reflector on the assembly to get the encryption key.
Of course, then you have to make sure that no one gets their hands on
that piece of code that will produce the encryption key. You could include
it as a module in a multi-module assembly, and then call it in this manner:
http://blogs.msdn.com/suzcook/archive/2004/10/28/249280.aspx
But then that leads to the fact that this can probably be extracted, and
the whole cat-and-mouse game begins again.
--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
<jehugaleahsa@xxxxxxxxx> wrote in message
news:7f235abb-5db3-4211-bc1a-b5f55a3b45bd@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jan 8, 8:37 am, "Nicholas Paldino [.NET/C# MVP]"
<m...@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Travis,
Ultimately, this is an exercise in futility. The administrators should
be changing the passwords by hand.
I will advise them of your suggestion.
Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that, you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available to
it). However, the application can be decompiled.
That is a wonderful point. I was thinking of having a separate form
modify the app.config file. However, in order for my executable to
decrypt the app.config settings, I would have to have the encryption
key inside or outside of my executable. So then I would need to
encrypt my key . . . and so on.
So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your
code
or changing how it works due to the obfuscation process.
That is also true.
And even then, obfuscation is a cat and mouse game. No matter what you
do (even if you compile a native binary), you will always be able to
figure
out what the code is going to do.
Ultimately, there is no way that this will be secure, and the password
administration should be handled by other means.
I think there is a middle ground of security that will be acceptable
inside our internal network. I will have to discuss this with them and
explain the security flaws inherent in their request. I am sure it
will surprise them. However, I think that they will probably say it is
okay for the encryption key to be visible in the exe, since it is a
degree away from putting the password plain-text. I might suggest
obfuscation as an additional precaution. Sigh . . .
Thanks,
Travis
.
- Follow-Ups:
- Re: Embed username/password/etc. in exe at install time.
- From: jehugaleahsa@xxxxxxxxx
- Re: Embed username/password/etc. in exe at install time.
- References:
- Embed username/password/etc. in exe at install time.
- From: jehugaleahsa@xxxxxxxxx
- Re: Embed username/password/etc. in exe at install time.
- From: Nicholas Paldino [.NET/C# MVP]
- Re: Embed username/password/etc. in exe at install time.
- From: jehugaleahsa@xxxxxxxxx
- Embed username/password/etc. in exe at install time.
- Prev by Date: LinqToSQL CancelUpdate
- Next by Date: P/Invoke
- Previous by thread: Re: Embed username/password/etc. in exe at install time.
- Next by thread: Re: Embed username/password/etc. in exe at install time.
- Index(es):
Relevant Pages
|
