Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect decryption key from decompilation?

Tags:

java

security

reverse-engineering

encryption

drm

I'm a beginner java programmer. I'm working on an application that decrypts some data. The decryption key is hardcoded into the software and thus can be seen by analyzing the bytecode.

I know that reverse engineering cannot be prevented entirely so what I'm trying to do is to make the process as hard as possible.

My idea is not to directly put the key into my code but have it go through some kind of transformation. For example, I could write - 

private static final byte[] HC256A = Hex
            .decode("8589075b0df3f6d82fc0c5425179b6a6"
                    + "3465f053f2891f808b24744e18480b72"
                    + "ec2792cdbf4dcfeb7769bf8dfa14aee4"
                    + "7b4c50e8eaf3a9c8f506016c81697e32");

This way someone looking at the bytecode can't read it straight away. But will have to follow the logic and apply transformations to it, which won't be that much easier at byte level.

So what do you guys think? Is this useful? What could be the be the best transformation other than hex decoding? Are there any other methods available to protect hardcoded decryption keys?

Thanks for all your suggestions.

like image 811
Monika Michael Avatar asked May 20 '11 09:05

Monika Michael

2 Answers

Right way to attack such obfuscation (especially in bytecode languages) is to attach debugger to the place to which the key is passed (if debugging is not possible, start analyzing code from that place). This way the attacker doesn't need to look for the key at all and he doesn't care how obfuscated the key is. So you need to re-think your design.

If you only want to protect from the amateur lurkers, then splitting the key and XORing it's parts (possibly with different keys), would be enough. One more trick - derive the key from text constants already present in the code (such as application name). This makes the key less obvious than splitting or XORing.

like image 191
Eugene Mayevski 'Callback Avatar answered Nov 20 '22 20:11

Eugene Mayevski 'Callback

Don't code the key into the source code at all. Keep it separate, ship it separately, e.g. in a Java keystore, and only to customers/sites/clients you trust, and put some legalese in the licence that places the onus on them if they leak the keystore.

like image 3
user207421 Avatar answered Nov 20 '22 18:11

user207421
Sign in to Comment

Related questions

Is there a way to avoid the constructor passing the Class?
Do we really need to create Stub in java RMI?
How to transform XMLStreamReader to XMLStreamWriter
Library to clean up and simplify filenames?
Parsing a simple XML document with JAXP(JEE6)
Exclude folder with sources which are built in IntelliJ Idea
using apache fileupload on GAE
Suggest a test automation framework for my scenario
Inserting Clob with NamedParameterJdbcTemplate
disconnecting from a socket in java
Errors in Eclipse for no reason
Keeping search result consistent across multiple transactions
Android: How to download file in android?
JavaBean class rules
How to implement expand/collapse nature to JTables in java swing application
Does Oracle DB support multiple (parallel) operations per connection?
How to set multiple items as selected in JList using setSelectedValue?
How to use smack with Openfire
Any good libraries for doing tearaway tabs in Java?
Levenshtein to Damerau-Levenshtein

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!