>Hi all,
>
>First off, sorry for being gone for so long - my largest client asked me to sub in for their IT department for the last 6 months as they "lost" 3 of their guys. So no coding for me since late fall. But I do have a question...
>
>I am using a utility in Rick Strahl's classes to encrypt data strings. Works fine. The utility eventually calls .Net encryption routines.
>
>My question is: what would a person need for tools to be able to get the key for the encryption? My key is made up of a long "base" and then for each record in a table, it is unique. Of course, this key gets assembled right before each call into one string.
>
>Is there a way to capture this key even if it is in memory as a var just long enough to call the encryption/decryption routine? If so, what tool would do that? And does the hacker need my source code in order to step through the code to stop on the line that assembles the key? Or can someone just capture every line as it executes and look at the results with some low level debugger?
>
>Sorry, I just don't do this kind of low level work to know the answer.

I'm not sure of a couple of things:
- your technical scenario
- the context of your question

Technical scenario:
- If you have a key as a string literal in a .EXE or .APP, then it may be possible to extract it directly from that file. I understand tools such as ReFox claim to make this more difficult. ISTR John Ryan discussing hacks of supposedly "protected" VFP executables
- In general, if your app can be run in the context of a debugger, or within a virtual machine, then everything it does is visible to the debugger or hypervisor. The "practicality" of extracting data from your app depends on the resources a hacker is willing to apply

Question context:
- Is it just your curiosity?
- Are you trying to sell an app, and the customer is asking "how secure is it?" Are you concerned about your potential liability in case it's not as secure as you may say it is?
- What level of protection do you (or a potential customer) need? Do you want to discourage:

• Nosy staff


• Script kiddies


• Serious hackers


• Nation-states

- What are the costs of a data breach?

• Inconvenience


• Monetary/civil litigation


• Regulatory or criminal penalties or sanctions

- Is your app required to comply with any formal data security standards?