tags:

views:

176

answers:

6
+3  Q: 

saving passwords inside your application code

Hello all,

I have a doubt concerning how to store a password for usage in my application. I need to encrypt/decrypt data on the fly, so the password will need to be somewhere. Options would be to have it hard-coded in my app or load it from a file.

I want to encrypt a license file for an application and one of the security steps involves the app being able to decrypt the license (other steps follow after). The password is never know to the user and only to me as e really doesn't need it!

What I am concerned is with hackers going through my code and retrieving the password that I have stored there and use it to hack the license breaking the first security barrier.

At this point I am not considering code obfuscation (eventually I will), so this is an issue.

I know that any solution that stores passwords is a security hazard but there's no way around it!

I considered assembling the password from multiple pieces before really needing it, but at some point the password is complete so a debugger and a well place breakpoint is all that is needed.

What approaches do you guys(and galls), use when you need to store your passwords hard-coded in your app?

Cheers

+3  A: 

Decide now how much time/effort you want to spend on preventing piracy. If someone is determined, they're probably going to get your application to work anyway.

Chris Shaffer  2009-12-30 18:15:26
+3  A: 

I know you don't want to hear it, but it's a waste of time, and if your app needs a hardcoded password then that is a flaw.

GregS  2009-12-30 18:17:40
I know that it's a flaw. Is there any way not to do what I want without being like this? I don't want to generate a password for each installation and then store it because the problem would be the same. I would have to encrypt that file with a fixed password...
Andre  2009-12-31 09:59:48
+3  A: 

I don't know that there is any approach to solving this problem that would deter a hacker in any meaningful way. Keeping the secret a secret is one of cryptography's great problems.

Adam Crossland  2009-12-30 18:17:50
+5  A: 

My personal opinion is the same as GregS above: it is a waste of time. The application will be pirated, no matter how much you try to prevent it. However...

Your best bet is to cut down on casual-piracy.

Consider that you have two classes of users. The normal user and the pirate. The pirate will go to great lengths to crack your application. The normal user just wants to use your application to get something done. You can't do anything about the pirate.

A normal user isn't going to know anything about cracking code ("uh...what's a hex editor?"). If it is easier for this type of person to buy the application than it is to pirate it, then they are more likely to buy it.

It looks like the solutions you have already considered will be effective against the normal user. And that's about all that you can do.

RobotNerd  2009-12-30 18:32:48
A: 

I know that I can't stop a determine hacker, but I don't want to make life easy for any aspiring hacker that likes to crack software during lunch break!

What I would like to know is what options are usually taken in this regard.

If I need to encrypt anything "in situ" I need for the password to be "in situ" as well.

My question is how can I protect the password itself in the code - let me rephrase that - how can I give it some measure of protection.

In this respect I have two contrary restrictions.

  • I don't want to ship a global password with every release because if any hacker hacked one, he/she would be able to hack all version.

  • On the other hand I don't want to generate a unique password at install time because I would still need to store it somwhow and... we would be at the same place.

Ideas? Suggestions?

Andre  2009-12-31 10:35:38
(Correct way to specify these details would be to Edit your question)
Madhu  2009-12-31 10:40:27
A: 

An approach I have done in the past was to generate an unique ID during the install, it would get the HDD and MCU's SN and use it in a complex structure, then the user will send this number for our automated system and we reply back with another block of that, the app will now decrypt and compare this data on the fly during the use.

Yes I works but it still have the harded password, we have some layers for protection (ie. there are some techniques that prevents a mid-level hacker to understand our security system).

I would just recommend you to do a very complex system and try to hack it on your own, see if disassembly can lead to an easy path. Add some random calls to random subroutines, make it very alleatory, try to fake the use of registry keys and global variables, turn the hacker life in a hell so he will eventually give up.

Douglas Gemignani  2010-01-01 17:53:22

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security