0

I'm building a desktop application that connects to a web server and communicates through a socket-based API. I want to ensure I only talk to my application, and not any third party hacker. Communication is encrypted over https. In addition, a private/public key pair are used for authentication. Basically the time, private, and public key are hashed together and sent to the server with the current time and public key to the server.

I'm concerned that if others reverse engineer the application, they will discover the hashing function, connecting url, and private key, as normally strings are stored in clear text in compiled applications.

I have two thoughts to mitigate this:

  • Create a function that generates the application-specific private key using a series of mathematical operations
  • Create a complex (long) secret and then take some modulo of that secret to send to the server (like the Diffie–Hellman key exchange algorithm).

Am I on the right track? How do I keep the secret key secret?

Jason
  • 13,563
  • 15
  • 74
  • 125
  • possible duplicate of [How to hide a string in binary code?](http://stackoverflow.com/questions/1356896/how-to-hide-a-string-in-binary-code) – Adam Liss Feb 25 '14 at 22:33
  • If the client's private key gets compromised there is not much that can be done to prevent impersonation. You're not supposed to trust the client's input anyway. – imreal Feb 25 '14 at 23:02

1 Answers1

1

Encryption is not the correct solution. No matter how well you hide the implementation, a determined attacker with a sufficient amount of time can reverse-engineer it.

At the very least, an attacker can determine where the encryption/hashing is done and dump the memory of the process right before that to examine the secrets in plaintext.

Your best bet would be to a) obfuscate the code and add anti-debugging defenses (not perfect, but it will discourage script kiddies and slow down determined attackers) and b) hardening as much as you can server-side

Basically, you can never rely on the client because you don't control it. Your best bet is to make sure any critical processing is done server-side so a custom client can't do anything malicious.

For example, if you were making a multiplayer chess game, you'd want the client to just submit basic actions (a move) and you'd track board state on the server. It doesn't matter if the client is hacked because if an illegal action is submitted, you just return an error.

akirilov
  • 322
  • 1
  • 6