How do you hide secret keys in code?

encryption obfuscation
38,853

Solution 1

The reasons those secret keys were so easily discovered is because they were hidden in software.

Avoid hiding secrets in software at all cost - obfuscation will only get you so far. Ask yourself this: How well can I hide a key in software from someone with full access to the disassembly, user mode and kernel mode debuggers, and no day job? It's only a matter of time before it gets cracked.

Solution 2

You just hide the key somewhere, and decrypt it when you need it. Using the key "securely" is the complicated part. Crackers might set a breakpoint to the place where you use the decrypted key and dump it. They might scan your code for patterns which show that you are using a known crypto algorithm (most algorithms have precalculated tables). etc etc.

That's why you need to make the whole software executable hard to analyze. For this you use executable packers, running code in a virtual machine, integrity checks etc. All this is to slow down debugging and modifying your code.

As most people here point out you can't stop anyone, just slow them down. I'd go to a cracker forum and ask there for suggestions about key hiding problematics. They are most likely helpful if you ask nicely.

ps. Public key crypto won't hide the key any better, but it might make it harder (or theoretically impossible) to make a key generator, if you're doing a licensing scheme.

Solution 3

The bottom line is, you can't. See any other comment here for the reasons why. Even encryption software like PGP/GPG stores the keys in a file, and then stridently urges those files to be kept on a flash drive in a safe, or something else secure. Keys stored as part of executable code will be discovered.

In fact, if you're trying to encrypt anything on a client machine that will be decrypted by the client as part of normal operations, that is also a fool's errand. The client machines are inherently insecure, and you can't control what they're going to be able to do to your data.

If you're trying to authenticate, instead, look at Internet based authentication with logins to a server, or some kind of generated KeyCode that is used to validate the software.

Secret keys as part of a Public-Private Keypair should be kept in data files that can be secured. Symmetric keys should be generated on the fly as Session Keys, then discarded. Always assume that anyone who has a Secret or Session key on their computer will be able to discover it, and use it against your intentions.

Read "Applied Cryptography" by Bruce Schneier for more information.

Solution 4

You can't hide a key forever. But you can sure make it hard to find. Some approaches are to encrypt the key in memory, keep multiple copies (perhaps encrypted differently) that are checked against each other, leave dummy copies to be accessed, store the key in some bizarre format, etc. None of them will work if somebody really wants your key, but you can at least dissuade a casual/inexperienced attacker.

Solution 5

You don't always need a key to validate a license.

But ignoring that fact, your key can also be the result of another function. You don't actually store a specific key value, instead you have a function that generates the key on the fly (always the same result). Although not impossible, it's much harder to find since you're no longer looking for a value, but you have to figure out it's an equation.

Share:
38,853
TTar
Author by

TTar

Updated on November 11, 2021

Comments

  • TTar
    TTar over 2 years

    I've wondered for some time how some software hides secret keys in such a way that they can't be trivially discovered. Just a few examples:

    • DVD Player Software hides CSS keys
    • Software with serial numbers/registration codes hides keys/hashes used to validate the serial numbers

    Obviously, these programs do something more than just have the key in a byte[], as that would make it easy to steal their keys and generate your own serial numbers, etc.

    What sorts of strategies are used to hide these keys so that they can't be found easily?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to obfuscate lua code?
How to encrypt HTML+JS assets in Android Phonegap mobile app?
What is the difference between Obfuscation, Hashing, and Encryption?
Can I encrypt my JSON data?
Simplest way to obfuscate and deobfuscate a string in JavaScript
How can I hide or encrypt JavaScript code?
Is it possible to hide/encode/encrypt php source code and let others have the system?
Can I encrypt my source code for android and ios?
obfuscate or encrypt some plain text data in PHP
Can windows viruses affect my encrypted linux partition on the same disk?