• 0

[C] Using a c app to hide encryption process?


Question

Hey guys, I need a way to encrypt a password for a PHP website (not hash). The actual encryption is done by an external library, but I'm more worried about is hiding the encryption method and the key inside of the exe file. How hard would it be to decompile the exe and find out how its being done?

Cheers.

Edited by Pc_Madness
Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 0

I'm not sure if I understand the question right, but if you're asking if you can hide a generic encryption key in your executable that the program will use to decrypt/encrypt some external data, then the answer is no, you cannot. It will be easy to reverse-engineer.

Link to comment
Share on other sites

  • 0
Hey guys, I need a way to encrypt a password for a PHP website (not hash). The actual encryption is done by an external library, but I'm more worried about is hiding the encryption method and the key inside of the exe file. How hard would it be to decompile the exe and find out how its being done?

Cheers.

Spotting encryption is fairly easy: just look for the tell-tale cluster**** of XOrs. Unless you're quiet

clever a half-way competent developer should be able to find your key in reasonably short order. The

fact that you need to ask a question like that leads me to suspect you probably lack the technical

ability to make it very difficult for somebody to undo your work.

Fortunately, from the vague description you've given it sounds like like you're approaching the

problem from the wrong direction. Please describe what you are trying to accomplish: you might be

able to avoid this whole "hide my key" nonsense and get a more secure system design for free.

Link to comment
Share on other sites

  • 0
I'm not sure if I understand the question right, but if you're asking if you can hide a generic encryption key in your executable that the program will use to decrypt/encrypt some external data, then the answer is no, you cannot. It will be easy to reverse-engineer.

Yup, thats the answer I was after, thanks. :) Apparently we're still going to do it this way.. *sigh* :(

Link to comment
Share on other sites

  • 0
Spotting encryption is fairly easy: just look for the tell-tale cluster**** of XOrs. Unless you're quiet

clever a half-way competent developer should be able to find your key in reasonably short order. The

fact that you need to ask a question like that leads me to suspect you probably lack the technical

ability to make it very difficult for somebody to undo your work.

Fortunately, from the vague description you've given it sounds like like you're approaching the

problem from the wrong direction. Please describe what you are trying to accomplish: you might be

able to avoid this whole "hide my key" nonsense and get a more secure system design for free.

Hahah, actually, I fully understand how to do security, my colleagues however feel I'm being paranoid and wasting their time by being concerned about it. (hmph..)

Ok, the situation is thus (hopefully it makes sense, its damn tricky :p),

Router like device which controls things in hotel rooms (I guess I can't say more than that :\) which has no external way of resetting the password (I know, it sucks but I didn't find out till late that it was physically possible with the board - the web developer has to point out these things to the hardware guys :\).

The device is managed by a company who can remotely access the machine (SSH tunnel). They're able to reset the passwords for the two accounts on the machine that people on site will use if they forget them. If the "Manager" (remote guy) forgets his password, he/she would navigate to a page via the tunnel which would display the encrypted password, put it through a decryptor (or email it to us) and be able to login using a hidden account, reset their password and log out again. Since the password would be encrypted by a single key, I've got the encrypted pass only being available to users via the tunnel, which prevents network users from viewing it and decrypting it.

The problem lies in that not all machine will be remotely accessible, and will exist on the same network as guests (I presume). So in order for a person to reset the password on site, they would have to have the encrypted password available to everyone on the network, and then email it to the Manager guy who would decrypt it and return it to them.

So in order for someone to find the key they would need physical access to the machine and pull out a CF card (few screws hold the thing together), browse through my PHP source and find that I'm calling an external c app to do the encryption, decompile, and then they can get access to any machine with the key + algorithm.

The machines won't be widely available, mainly businesses, but it only takes one person to figure it out and put it on the internet and then we have a problem. :(

Its a complicated one. :\ Personally I would be much happier if the user didn't need to contact us / the "manager" at all to reset the password, but...

Link to comment
Share on other sites

  • 0

I had to work on a similar problem a few years ago: it was a basically a VoIP exchange system that had to allow for password recovery in the event that some local admin locked himself out of the normal administration interface.

The system we ended up going with was a challenge/response using PKI: I generated an OpenSSH key-pair and tossed the public key on the device itself. The private key was kept squirreled away at our company.

When you needed to reset the password for the device you would telnet* in on some screwy port. It would generate some random string (Mac address merged with date and a few chars from /dev/random) then encrypt it using the private key and displayed it on screen

On our end we'd take that encrypted string and decode it with our half of the key-pair. The user at the device itself would enter in our decoded version and if it was valid then it would randomly generate a new password for the administrative user.

One thing I thought was really clever: the original string and the encrypted version were mapped to letters/numbers that wouldn't sound the same when read over the phone: ("A B F H I J L M O Q R S U V W Z Y 2 4 5 6 7 8 9"). It made the challenge/response longer but it greatly increased the accuracy of tech support talking somebody through the reset process.

* Yes, telnet: I couldn't get permission to use SSH exclusively even though OpenSSL was already in the ROM

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.