views:

73

answers:

4

Can I distribute a .NET app that uses a key that the user can't access, but the app can?

Note that I am using the word distribute in the sense that the application is delivered to run in the user's computer, not in a cloud or cluster.

+5  A: 

Anything in your application can be accessed by a skilled enough user.

This is why games and the like moved from storing key algorithms inside the program to verifying with an outside, game manufacturer owned server.

If you're just trying to keep out the average joe, just hash it and store it like any other variable..like a padlock on a door, it won't keep out the determined user, but keep honest men honest.

Caladain
I think you are right. In games authentication if a key is being used by more than one computer they can't block only the pirates, so all they can do is to block both the pirates and the original one that uses that key. So even this server storing mechanism, while being better than the alternative, still has its faults.
Jader Dias
Nothing is perfect. It's an arms race in the game development world, and one that the game manufacturers are losing for a variety of reasons. Generally if they nuke a key, the original owner can contact and, with some phone time, get a new working key. 99.99% of the time, the simple padlock is the way to go. Sometimes a dongle attachment is "the way to go" but i find these very, very, very annoying and so won't recommend them.
Caladain
Good answer. Security is rarely about creating a super-safe system, it's often about making it not worth the time and effort to break
zebrabox
+1  A: 

Depending on what you are trying to encrypt, you would deliver the public key, retaining your private key and you could distribute it freely. What are you trying to accomplish exactly?

Hal
A: 

Not really. You can make it annoying to retrieve the key, but if it can be used by the program, the user can inevitably read it as well.

Jerry Coffin
+2  A: 

There's two general answers to your question.

If your question is this:

Is it possible for me to pass a key alongside my executable in any way that makes it 100% impossible for any user to access, but still my program can access it?

Then the answer is this: No, you can't.

Anything your code can do, the user can potentially do as well.

All you can do is make it hard for the user. Encrypt it, hide it.


If your question is this:

Is it possible for me to pass a key alongside my executable in any way that makes it very unlikely that my users can access, but still my program can access it?

Then the answer is this: See answer to the first case, in particular the part about making it hard for the user.

Lasse V. Karlsen