-1

Lets say I want to encrypt and decrypt texts in my application. Encryption of course uses 'salt',"passphrase"...

How can I securely store it in the app so that people who decompile it won't see it? As you may know you can decompile .net code into perfectly fine source code. So any variable with password can be seen. Any code that creates password can be seen too.

How can you store static passwords so crackers can't get them in RAM or by decompiling the app?

Lee Taylor
  • 7,761
  • 16
  • 33
  • 49
Tommix
  • 443
  • 4
  • 15
  • 7
    "how can I securely store it in app so that people who decompile .NET app wont see it?" - **you can't**. – Dai Nov 29 '20 at 00:37
  • You may store (randomly generated) salt/iv, either as prefix/suffix to encrypted data but never store the key locally. Use e.g. user's credentials hash as a key but never store it. Also consider DPAPI, it can be useful in some cases. – aepot Nov 29 '20 at 00:59

1 Answers1

4

How you store static passwords so crackers cant get them in RAM or by decompiling app?

You can't and you shouldn't.

Instead use a machine-specific or user-specific secret that's secured using a system feature such as the TPM, a client certificate, a user's password, or DPAPI.

DPAPI is the most straightforward to use: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection

Using hardware cryptographic features in .NET is easy too: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-access-hardware-encryption-devices - but not all computers will have them.

Using the TPM is probably the hardest approach: Controlling TPM with C#

Dai
  • 141,631
  • 28
  • 261
  • 374