All geek questions in one place

Encrypt Password in C Source Code

Is there a way to save a static password in a way that is hard to find in a compiled application?

Two different applications are needed for this. One of them is a lightweight FTP client for Windows, which connects to only one hard-coded server. Another is the Objective-C game, which allows users to create level packs and use passwords to save them. They can be played without a password, but not opened in the level editor. I encrypt passwords using AES, but I need to somehow save the password for decryption.

The only idea I have found so far is to save the password not as one line, but as several lines. This may work well for the game, because I can just plug in the lines that already exist. Or I could save it as a long line and use a secret algorithm to get the password from this line, although this begs the question: can C applications on Windows or Cocoa applications on OS X just decompile to find this algorithm?

Are there any safer ways to do this?

+4
source share
3 answers

String literals are usually saved and stored somewhere in the binary, even in a compiled C source.

What you can do is a similar method of how (correctly implemented) web applications check the registration information where this information is stored in the database. Just save the password in a hashed form. Often the method is to use the MD5 + salt ( here is a description and some sample PHP code ). What you can do is instead of transmitting or saving the plaintext password, just the hash of the user and checking the hash against the stored value of the hash function. Corresponding hashes correspond to matching passwords.

EDIT

This will not help with the FTP server, since you cannot change its source code ...

-2
source

can C applications on Windows or Cocoa OS X applications simply decompile to find this algorithm?

Yes, everything done by a person can be violated by another person. Never use reversible algorithms to store sensitive data - they will be reconstructed . You can store hashes, as sidran32 wrote, but this will not help you with the client

+2
source

Why survive the pain of decompilation - simple

$strings <binary>

will do it :) Storing your passwords in code will never work: you can break them, encode them, encrypt them in any way - there will be a moment when you need to collect the details to check them. And this is exactly the moment when an attacker connects, possibly with a debugger. I gave an answer to a similar question with more detailed information.

The only reliable way is to store passwords as out-of-band information, outside of your code (or binary code). These types of DRM that you mean never work for a longer period of time, as millions of hacked Microsoft or other products prove.

+2
source

Source: https://habr.com/ru/post/1403955/

More articles:


All Articles