Hiding an encryption pw in code

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Hiding an encryption pw in code

Message

From

18/09/2006 09:34:09

Rodd Harris
New Tribes Mission
Sanford, Florida, United States

23/06/2006 03:42:18

Craig Boyd
Sweetpotato Software
Pipestone, Minnesota, United States

General information

Forum:

Visual FoxPro

Category:

Coding, syntax & commands

Title:

Re: Hiding an encryption pw in code

Environment versions

Visual FoxPro:

VFP 9 SP1

OS:

Windows XP SP2

Network:

Windows 2000 Server

Database:

Visual FoxPro

Miscellaneous

Thread ID:

01130320

Message ID:

01154656

Views:

Hello Craig,

We just ran across vfpenctyption.fll and are planning to implement it. However, we're running into the same question regarding how to protect the key.

You mentioned creating a hash and comparing the hash value of the .fll before using it. I like the idea except that vfpencryption.fll is what houses the hash routine. We also have an MD5.fll hash routine that we picked up somewhere but it would leave us in the same boat.

Do you know of a hash routine written as a .prg that can be used to compare the hash value of the .fll before using it?

Thanks for your help.

Rodd

>I'm glad you are finding the vfpencryption71.fll useful. I wish I had a better answer for you on protecting your secret key.
>
>Beyond obfuscating it by using a technique like Dragan laid out, or reading a portion of a file (such as a bitmap in your application) as your key, or somehow creating a fairly formittable maze of code that reverse engineering would have problems following, etc. ... the answer is NO. There's really no foolproof way of doing this. That having been said here are a few suggestions...
>
>Consider obfuscating the key in some fashion so it does not appear in the source anywhere in plain text.
>
>Consider using a product such as Refox that can give you added protection against decompilation of your source.
>
>Consider creating a hash (message digest) for the VFPEncryption71.fll and checking that before your program makes the call to encrypt/decrypt functions... this will at least keep someone from replacing your fll with a modified version that gives them the secret key or passes them the plaintext derived from the ciphertext.
>
>>I am using the VfpEncryption71.fll and love it. The one thing I can't figure out is a way to hid the passwords in code. What I mean by this is I have a number of fields where I am encrypting the data and I have a common, very strong, password for these. The fields hold things I don't want the customer or anyone else to get to or change. I have it hard coded into the prg and the project is encrypted but I'm sure that can be easly broken. Any suggestions?

Map

View

Click here to load this message in the networking platform