How do you hide secret keys in code?

Question

I've wondered for some time how some software hides secret keys in such a way that they can't be trivially discovered. Just a few examples:

• DVD Player Software hides CSS keys
• Software with serial numbers/registration codes hides keys/hashes used to validate the serial numbers

Obviously, these programs do something more than just have the key in a byte[], as that would make it easy to steal their keys and generate your own serial numbers, etc.

What sorts of strategies are used to hide these keys so that they can't be found easily?

Answer 1

The reasons those secret keys were so easily discovered is because they were hidden in software.

Avoid hiding secrets in software at all cost - obfuscation will only get you so far. Ask yourself this: How well can I hide a key in software from someone with full access to the disassembly, user mode and kernel mode debuggers, and no day job? It's only a matter of time before it gets cracked.

Answer 2

You just hide the key somewhere, and decrypt it when you need it. Using the key "securely" is the complicated part. Crackers might set a breakpoint to the place where you use the decrypted key and dump it. They might scan your code for patterns which show that you are using a known crypto algorithm (most algorithms have precalculated tables). etc etc.

That's why you need to make the whole software executable hard to analyze. For this you use executable packers, running code in a virtual machine, integrity checks etc. All this is to slow down debugging and modifying your code.

As most people here point out you can't stop anyone, just slow them down. I'd go to a cracker forum and ask there for suggestions about key hiding problematics. They are most likely helpful if you ask nicely.

ps. Public key crypto won't hide the key any better, but it might make it harder (or theoretically impossible) to make a key generator, if you're doing a licensing scheme.