0

I want to encrypt an NSString so I referred to AES Encription for NSString. That code served well, and I can use it.

But if someone can get hold of the encryption key, it's easy to decode my NSString.

I executed strings -a command in Terminal on the generated executable, and I was able to see that encryption key.

So, we protected the data before it's sent, but the encryption key is still exposed. How can I protect this encryption key?

EDIT: I have multiple processes running on system. Sometimes they communicate with NSDistributedNotificationCenter by posting notifications. Sometimes that notification act as command. My worry is anybody can post notifications and try to fool my process. So I decided to use postNotificationName:object:userInfo:deliverImmediately:. In this API I can send encrypted data (command) and only my executables know encryption key.

Community
  • 1
  • 1
RLT
  • 4,219
  • 4
  • 37
  • 91
  • 1
    As @zoul says, it's not really possible to do what you're asking (i.e. if the executable has everything needed to decrypt the string, then anyone who has the executable also has everything needed). But depending on what you're actually trying to achieve, an alternate approach (e.g. using public-key encryption) might be possible. What are you actually trying to accomplish? – Gordon Davisson Apr 04 '13 at 18:34
  • I updated question with more information. – RLT Apr 05 '13 at 08:57

1 Answers1

2

You can never hide the string really safely, just obfuscate it to protect yourself from simple attacks. One reasonable solution is to XOR it with a known constant. Take the string apart to single bytes, XOR each byte with a known number and store the resulting byte array in the binary. When you need to use the string, XOR the array bytes again with the same constant and create a string from the resulting byte array.

zoul
  • 102,279
  • 44
  • 260
  • 354