3

I use the CryptoStream class to encrypt a text. If I want to decrypt it, I have to know the key and the iv so I can get the original text back, but where do I save them, so that they cannot be stolen?

With tools such as cheat engine, you can read values from the RAM of other programs and when I save the key/iv in a variable you can read them too. Is there a way to prevent that? And is there an way to save the decrypted Text instantly in a SecureString? So it is never saved as a plain string?

(I don’t know anything about security associated with c#. If anyone can recommend a crash course or a book, I'd be grateful!)

RenniePet
  • 11,420
  • 7
  • 80
  • 106
MrApfelstrudel
  • 157
  • 10

1 Answers1

1

You can use a tool like Dotfuscator http://www.preemptive.com/products/dotfuscator/overview to obfuscate your source code (a free version is included with Visual Studio but you will need the pro version to encrypt strings). This will prevent malicious users from decompiling your code and viewing the key/iv.

Another option is to use the .NET DPAPI as shown here http://weblogs.asp.net/jongalloway/encrypting-passwords-in-a-net-app-config-file. If you use this system, you will need to ensure that the key/iv are placed in the app.config file and encrypted before your deployment build.

As far as I know, there is no way of preventing the unencrypted values from being read into memory, after all, your program needs to send those values to the processor.

MSDN has a good crash course for secure development practices that should help get you started: http://msdn.microsoft.com/en-us/security/aa570401.aspx

JTW
  • 3,546
  • 8
  • 35
  • 49