secret key string visible in dll

T

Tim Mackey

hi,
i am using 3des encryption with a secret key to send information between 2 aspnet applications. they both know the key, which is a hard-coded string. i have read about using aspnet-setreg to securely store such a value in the registry, but i have a different query.
if i open the dll in notepad, i can read the secret key, which obviously is no good. i tried changing the code to use a number as the secret key, calling .ToString() on the number. I then recompile and open up the dll in notepad and i can't find the number, which seems better. i don't know a thing about disassembling .net executables, so i'd like to know if the key is safe, hard-coded in the dll, in numeric form?

granted a numeric key has less combinations than a string version, but adding more digits will go some of the way to help that.

thanks for any help
tim mackey.
 
J

Joe Kaplan \(MVP - ADSI\)

With a tool like Reflector or Anakrino, it would be trivially easy to
decompile your assembly to discover how you are getting the key if it is
hard coded in the assembly. However, if you can protect access to the
assembly, then this may still be safe. It really depends on who will have
access to it.

Storing secrets is a very hard problem

Joe K.

Tim Mackey said:
hi,
i am using 3des encryption with a secret key to send information between 2
Click to expand...
aspnet applications. they both know the key, which is a hard-coded string.
i have read about using aspnet-setreg to securely store such a value in the
registry, but i have a different query.
if i open the dll in notepad, i can read the secret key, which obviously
Click to expand...
is no good. i tried changing the code to use a number as the secret key,
calling .ToString() on the number. I then recompile and open up the dll in
notepad and i can't find the number, which seems better. i don't know a
thing about disassembling .net executables, so i'd like to know if the key
is safe, hard-coded in the dll, in numeric form?
granted a numeric key has less combinations than a string version, but
Click to expand...
adding more digits will go some of the way to help that.
 
T

Tim Mackey

Hi Joe,
many thanks for the clarification. i thought i might have stumbled on a good way of storing secret keys, as numbers, but it's re-assuring to hear from an expert that it still wouldn't be secure if access to the assembly file was compromised.

cheer
ti
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to change key name in json file with python 0
creating a secret-carrying box 3
Copy string from 2D array to a 1D array in C 1
Output confusion 2
Trouble accessing a value within a JSON string. 1
String manipulation in python..NEED HELP!!!! 8
Noob question about mathematical addition vs. "string addition" in C# 1
America's Best Kept Secret!!! 0

Members online

No members online now.
Total: 25 (members: 0, guests: 25)
Robots: 68

Forum statistics

Threads
473,800
Messages
2,569,657
Members
45,417
Latest member
BonitaNile

Latest Threads

Top