Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hiding passwords / keys in compiled application

Tags:

c

cryptography

In my C application I have a decryption key that is used to decrypt sets in the database (username / password). Currently, I simply declared it with

char * key = "$$$secretSampleDecryptionKey$$$";

Shortly after that line, I prepare the SQL statement and then select from the DB. My question is, if someone was to debug my compiled application or dissassemble it, will they actually see the key? What can I do to hide it from them?

EDIT:

As Mark and Aaron pointed out, I can simply use the Linux / Unix strings command

strings nameOfApplication

to print out all the strings in my application, including the "secret" key.

EDIT 2:

The app runs on my server and the database stores sensitive customer data that is encrypted. I thought I was playing it safe by not having the key in a text file for everyone to read but compile it instead.

like image 528
Frank Vilea Avatar asked Sep 06 '11 11:09

Frank Vilea

2 Answers

An interesting link relating the story of someone retrieving a password from a binary :

Deconstructing an ELF File

This is a step-by-step description of what someone could try to discover a password. It will give you some idea of what "not to do". The use of the command strings is the first item in the list for example.

If you want to hide your secret string from strings, you can store it in as a char array not terminated with \0 character. strings should not pick it up.

There is also a nice trick mentioned (which is bypassed) to avoid someone to use a strace/ltrace on your binary.

Ultimately by disassembling the code, the "hacker" manage to retrieve the password, which as other have pointed out is difficult to protect against. Basically you can't really hide anything in a binary...

like image 178
Xavier T. Avatar answered Oct 24 '22 20:10

Xavier T.

If the key is in your source then an attacker will be able to find it. The best you can do is to make it more difficult for them.

The stored key should not be text, but binary. That way you avoid searches for strings. Presumably if you have the key present in the code your users do not need to be able to type it in.

Store the key in at least two random looking binary arrays that are XOR'ed together to make the actual key. Alternatively, pick one of the standard text strings that is present in your application anyway, something like: "Please enter the Zipcode: ", and use that as your key, or as one component of the XOR. Hashing such a message would get it to a standard length if needed.

like image 41
rossum Avatar answered Oct 24 '22 20:10

rossum
Sign in to Comment

Related questions

C - program structure (avoiding global variables, includes, etc.)
Reading all content from a text file - C
calling C++ methods from C
Handling `argv` in a C command line program
long long vs int multiplication
Where is the memory leak in this code and how to fix it?
How to detect cold boot versus warm boot on an ARM processor?
Why does compilation of this simple C++ program using 'cpp' fail?
Unresolved inclusion: <conio.h>. Why?
What actually happens when a pointer to integer is cast to a pointer to char?
Can I define variadic C preprocessor macros with __VA_ARGS in the middle instead of the end?
Number of unset bit left of most significant set bit?
Variably modified array at file scope
What is a simple way to find real roots of a (cubic) polynomial?
dereferencing structure from (void *) type
AES Encryption -Key Generation with OpenSSL
Clarification on why this C code works
how to calculate size of pointer pointed memory?
what is "{0}" in C?
Opening file in Append mode : using open() API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!