Need help with a simple question - Encrypted key in .dll

[suzzieqs]

Hello, my son has asked me to post this question and I'm not real sure if I'm posting in the right forum....if not I am deeply sorry and ask that you please bear with me as this kind of thing is way over my head. here is the question my son has...

"If I put an encryption key inside of a dll will it be safe? Is there any way for anyone to reverse engineer the dll to acquire the encryption key? If there is, then what would be the safest way to hard code an encryption key into a program without it being acquired?"

I thank you for your help and your time.

[Ejaz]

[ Moved Thread ]

[PredicateNormative]

Hello, my son has asked me to post this question and I'm not real sure if I'm posting in the right forum....if not I am deeply sorry and ask that you please bear with me as this kind of thing is way over my head. here is the question my son has...

"If I put an encryption key inside of a dll will it be safe? Is there any way for anyone to reverse engineer the dll to acquire the encryption key? If there is, then what would be the safest way to hard code an encryption key into a program without it being acquired?"

I thank you for your help and your time.

The answer is that it is not safe. The level to which it is not safe depends on how you put the key into the dll. If your encryption key is in the dll in the form of a string literal e.g:

Code:

const char* encryption_key = "MYENCRYPTIONKEY001";

then the chances are, that a hacker would not even need to attempt to reverse engineer the dll, they may be able to simply open up the dll in an editor such as Emacs and somewhere in the binary they would see "MYENCRYPTIONKEY001". In this case, the person would not need to be particularly competent to extract your key.

If you are more clever about it though, and store the encryption key in a number of variables and construct the key from those variables at runtime, then although it is still possible to extract the key, it would be harder.

What I mean is, that you could write a program that will tell you how many variables you will need and the values of those variables to hide in your application for a particular key e.g.

Code:

#include <iostream>
#include <vector>
#include <string>
#include <cstring>
#include <algorithm>
#include <iterator>
#include <stdexcept>

std::vector<int> hideEncryptionKey(const std::string& key)
{
  size_t hiddenKeySize = ((key.size()+sizeof(int)-1)/sizeof(int)) + 1;

  std::vector<int> hiddenKey(hiddenKeySize);

  hiddenKey[0] = key.size();

  if(!key.empty())
  {
    int* destination = &hiddenKey[1];
    const char* source = &key[0];

    memcpy(destination, source, key.size());
  }
  return hiddenKey;
}

int main(int argc, char** argv)
{
  try
  {
    if(argc != 2)
    {
      throw std::runtime_error("Usage [program] [key]");
    }

    std::vector<int> hiddenKey = hideEncryptionKey(argv[1]);

    std::cout << "To hide \"" << argv[1] << "\", " << hiddenKey.size() << " variables are required with the following values:\n";
    std::copy(hiddenKey.begin(), hiddenKey.end(), std::ostream_iterator<int>(std::cout, "\n"));
  }
  catch(std::exception& e)
  {
    std::cout << e.what() << std::endl;
  }
  catch(...)
  {
    std::cout << "Unknown exception caught!" << std::endl;
  }
  std::cin.get();
}

If I run the above program with the argument "HelloWorld", it will respond with the output:

To hide "HelloWorld", 4 variables are required with the following values:
10
1819043144
1919899503
25708

I now know that I need do define 4 integer values in my program with the above values. I can place these values within my program and use another function to decode the variables into the original key. e.g.

Code:

#include <iostream>
#include <vector>
#include <string>
#include <cstring>
#include <stdexcept>

std::string extractEncryptionKey(std::vector<int>& hiddenKey)
{
  std::string encryptionKey;
  if(!hiddenKey.empty())
  {
    if(std::vector<int>::size_type(hiddenKey[0]) > ((hiddenKey.size()-1)*sizeof(int)))
    {
      throw std::runtime_error("The size of the hidden key is inconsisted with the reported size");
    }

    std::vector<char> key(hiddenKey[0]);

    if(!key.empty())
    {
      char* destination = &key[0];
      int* source = &hiddenKey[1];

      memcpy(destination, source, key.size());
    }
    encryptionKey.assign(key.begin(), key.end());
  }
  return encryptionKey;
}

int main()
{
  try
  {
    //Hard coded hidden key    
    int var1 = 10;
    int var2 = 1819043144;
    int var3 = 1919899503;
    int var4 = 25708;


    //construct a vector from the hidden key variables
    std::vector<int> hiddenKey;
    hiddenKey.push_back(var1);
    hiddenKey.push_back(var2);
    hiddenKey.push_back(var3);
    hiddenKey.push_back(var4);

    std::cout << "The encryption key is: " << extractEncryptionKey(hiddenKey);

  }
  catch(std::exception& e)
  {
    std::cout << e.what() << std::endl;
  }
  catch(...)
  {
    std::cout << "Unknown exception caught!" << std::endl;
  }

  std::cin.get();

};

As far as I understand, there are two ways in which a hacker could get the key from such a program, the first would be to reverse engineerit, and with a fair amount of analysis (if you have hidden the key well) they could reconstruct the key. But they would probably attempt it another way and that is to scan the processes memory at runtime and they may be able to extract it that way. You can do some things that will reduce their ability to extract the key, such as only create that key in dynamic memory when you need it, and as soon as you have compared the key, over write the dynamic memory with something else before freeing it. This means that the key will only be reconstructed momentarily and then destroyed, reducing the chances of a hacker retrieving your key through scanning the process.

The most secure way is to use hardware encryption. But I expect that isn't an option. I hope that helps.

EDIT:

By the way, I forgot to say, in the second program (the one with the hard coded hidden key variables, don't declare them in order like I have, but change their order and if possible intersperse them with other variable declarations. The reason being is that simply putting them together and in order still means that the key can still be read in sequence, which means that it would be easy to extract.