All geek questions in one place

How to write a "truly" private method in C #?

In fact, private methods are implemented in C #, which can still be found using Reflection .

What I'm going to do is write the public string Encrypt(string data) and private string Decrypt(string cipher) methods to perform encryption and decryption.

Unfortunately, if someone knows the .NET platform, they can use Reflection to search for Decrypt methods and decrypt everything that is encrypted.

It seems that it is not so safe. Therefore, I want to make a Decrypt method for a truly private method.

But how to do that?

Updated Jan 09, 2012 10:52 pm Sydney Time

bdares provides a technical explanation for this.

Eric Lippert gives a political explanation for this issue

Thanks to both experts!

+4
source share
5 answers

You can not. If an attacker has access to your code, compiled or source, he can track your program and find where it is encrypted or decrypted.

You can add a security level by storing the key in a separate place, but usually, if an attacker executes the code on your server, you are already screwed.

(This only worries you if the attacker executes the code on your server, because otherwise it does not matter if this method is private or not. In addition, it cannot use reflection to search for method names, unless it executes the code on your server. In short: you're worried about what's wrong here. )

+16
source

Your main problem is the wrong trust model. If someone can use reflection, then this is the user. You are a software provider. You work for them. Trust is spent from them, not from you. This is the person who should trust you, not you.

If you do not trust the user, do not sell them your software in the first place. Do not sell weapons to people who you think are planning to attack you.

+15
source

I believe that you are referring to obfuscation , which is an attempt to hide / hide the code from reading by people when opening in a program, for example Reflector. Delivered to Visual Studio - this is a community license for PrecEmptive Solutions prefectural solutions, which will provide this functionality for small projects, as well as for Windows Phone projects (if you download the add-in). Commercial platforms from the same supplier and others are also available.

This blog post explains a little more .

+2
source

If you create your own encryption method, you are doing it wrong. People who know more about encryption than you or I have already come up with great encryption methods, and MS has already implemented most of them.

For good encryption, keys, not a method, make encryption secure. Keep your keys safe and the algorithm can (and should) be published for everyone to see.

If you try to distribute both content and store them in an encrypted form, such as DRM, you are most likely doomed to failure if you cannot keep the keys very well hidden on the hardware, and even that only you will buy you some time - - maybe maybe months, maybe years.

+1
source

I am not sure about your specific application. But if you are selling a product to a customer who will use encryption and decryption in their own system, then there is no way to keep the encryption secret secret. But you can instead let them generate a new private key for your own use. Thus, each customer’s data is “secure” with respect to other customers; although obviously still not as secure on the same customer site. In other situations, when you manage encrypted content, you can also consider creating a private master key that will be created on your side and allowing the client a public key.

0
source

Source: https://habr.com/ru/post/1389997/

More articles:


All Articles