0

I have a small scripting engine written which can run basic code. I want that if the user protects the code, then no one should be able to open the code except my program.

Now I found a link: http://www.codeproject.com/KB/aspnet/TamperProofQueryString.aspx which encrypts the code using Base64 encoding. It uses a key to encrypt and decrypt.

I was wondering how can I store the key in my app so that no one else comes to know. I do obfuscate my program so strings, etc. are not easily readable. That helps. Apart from using a variable and storing key in the EXE file itself. What other secure options do I have?

Is my logic of encrypting and decrypting using the method above secure? I want adequate security, maybe not a fantastic one.

Plus the benefit of the code above is it does not need to create a temporary file to decrypt it so that way the user can't search for temporary files or so.

I will be glad if anyone can provide valuable advice.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Greatchap
  • 382
  • 8
  • 21
  • 1
    Does the user have access to the program or is accessed e.g. over a web-service? In the first case there's nothing you can do to archieve perfect security because if the program contains all information to decrypt something, so can the user gain access to it. In the second case you could use public-key encryption to make it 99% secure. – Compuholic Jul 03 '11 at 10:52
  • Though my program has access to my server but security isnt so critical here. I will derive text for key from my program title or something. – Greatchap Jul 03 '11 at 15:40

1 Answers1

2

This question is asked over and over again. In brief, if your application has access to the key, you can make access to the key harder, but not impossible (on general-purpose hardware and software, at least). Even on closed and locked systems like gaming console private keys are sooner or later extracted from the hardware.

In brief: you want to offer the user some kind of software protection for pseudocode. This is the task that has not been reliably solved for native code and for interpreted code this task is probably even more complicated.

Good obfuscation of the key will drive away most not-very-skilled attackers. The simplest way to obfuscate the key is to use some text phrase of your program as a key. This makes operations with the key less obvious for an occasional lurker (professionals know different ways to find the encryption keys in the application).

Another problem is that user's code must be decrypted in order to be executed by your engine, right? And at this moment an average-skilled hacker can just capture the memory and pick the script from memory.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thanks for your inputs Eugene. Can you explain "The simplest way to obfuscate the key is to use some text phrase of your program as a key.". If I do private Key="xyzabc" . And obfuscate my app, will that be okay. Plus is my algo for encryption fine. – Greatchap Jul 03 '11 at 13:19
  • @Greatchap If you use symmetric encryption algorithm, take some text constant in your application (such as some error message or application title) and derive your key from it (see http://stackoverflow.com/questions/6482883/how-to-generate-rijndael-key-and-iv-using-a-passphrase ), then use known encryption algorithm. The code you referenced is a possible option in your scenario, yes. – Eugene Mayevski 'Callback Jul 03 '11 at 14:16
  • Thanks a lot Eugene. I will derive text for key from some part of my program. – Greatchap Jul 03 '11 at 15:40