none
Security issue about 2-way encryption RRS feed

  • Question

  • Hello all!
    I posted some weeks ago a question regarding two-way encryption(particullary AES). I implemented this algorithm in my application and it seems to work fast and fine. In order to decrypt data from my config file for the application I have some parameters(Key, saltValue etc.). Still..I don't understand one thing. Someone on this forum told me that no data in a .Dll is secure.
    What if a hacker can get the data out of my dll(since the parameters are strings kept this way) and than apply the same technique and reveal the information hidden in the config file about database, smtp server and so on?
    Is it possible to decrypt an encrypted file this way?
    Best Regards,
    Ariel

    Saturday, March 1, 2008 5:44 PM

Answers

  • Yes,

     

    anybody can decompile your dll (e.g. http://www.aisto.com/roeder/dotnet/). Any constant things are readable in cleartext very easily. This way somebody can look at your hard coded keys and decrypt with these keys the rest. That is the reason why hard coded things are unsafe. But there is a way out if you use protected storage DPAPI.

    This API does encrypt the data with the current users credentials. Other users can therefore not read the encrypted data on this PC.

     

    Yours,

      Alois Kraus

     

    Saturday, March 1, 2008 6:35 PM