Professional Web Applications Themes

Could a hacker achieve this? - ASP.NET Security

Hello. If I have this line of code inside my ASP.NET app: EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!") Can a very experienced hacker do either of the following: 1. "Steal" the DLL from the server, then reverse engineer the DLL in order to obtain the hard coded key above. 2. (Much more clever) kind of "listen in to / tap in to" the DLL as it is actually executing on the server, and then kind of "syphon off" the data that is flying about the machine's data ports, in order to "catch / filter off" the secret key. -Frameworker....

  1. #1

    Default Could a hacker achieve this?

    Hello.

    If I have this line of code inside my ASP.NET app:

    EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")

    Can a very experienced hacker do either of the following:

    1. "Steal" the DLL from the server, then reverse engineer the DLL in
    order to obtain the hard coded key above.

    2. (Much more clever) kind of "listen in to / tap in to" the DLL as
    it is actually executing on the server, and then kind of "syphon off"
    the data that is flying about the machine's data ports, in order to
    "catch / filter off" the secret key.

    -Frameworker.
    Framework fan Guest

  2. #2

    Default Re: Could a hacker achieve this?


    "Framework fan" <tempframeworkfanhotmail.com> wrote in message
    news:f109ac80.0404100653.7a9ba1c2posting.google.c om...
    > Hello.
    >
    > If I have this line of code inside my ASP.NET app:
    >
    > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
    >
    > Can a very experienced hacker do either of the following:
    >
    > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
    > order to obtain the hard coded key above.
    >
    Depend on how tight your ACL is enforced at your server where the DLL is
    hosted. I would check this first to make sure only the intended users have
    access to it. I would offuscate my code if it is that sensitive. Hardcoding
    secret key in an application is a common practice. Just name things
    different than suggested by some best programming pratices to make life
    harder for hackers. This means that in some cases, you need to be abnormal
    in your programming style.
    > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
    > it is actually executing on the server, and then kind of "syphon off"
    > the data that is flying about the machine's data ports, in order to
    > "catch / filter off" the secret key.
    >
    Chances for this to happen is very slim unless there is an iider help.

    John


    WJ Guest

  3. #3

    Default Re: Could a hacker achieve this?

    Stealing the DLL is one task and probably the hardest. As was mentioned in
    another post, it depends on how you have your security configured. If we
    assume a standard .Net app with the DLL in the bin folder, no explicit ACL
    set by yourself, then while it is possible, its not too easy. The more your
    machine is locked down, the harder it is for a hacker to get in and grab
    some code libraries.

    Now if we assume that the hacker has gained entry to your machine and can
    get your assemblies, then how hard would it be to have a look at your secret
    code. Well, without obfuscating your code, it would actually be quite easy.
    Obfuscating your code makes it considerably harder, but certainly not
    impossible. John mentioned that hardcoding the secret key is quite common,
    but it is bad practice. Ideally, you should probably extract it from
    somewhere that keeps it in an encrypted form also. Ideal for this situation
    is the DPAPI libraries. Typically, you can decrypt data only on the machine
    it was encrypted on (or only by the user it was encrypted by), with DPAPI
    handling the key storage for you. So if the hacker got your code, it would
    simply be referencing a key on the local machine, which is also encrypted.
    If the hacker then manages to get that encrypted key, they cant decrypt on
    anyother machine, so its useless to them.

    So you could either use DPAPI for all your encryption needs or just to
    store/encrypt the encryption key that you will be using. DPAPI is an
    unmanaged set of libraries/functions, but there is a managed wrapper with
    example code to be found here.
    [url]http://weblogs.asp.net/pglavich/archive/2004/03/15/89687.aspx[/url]


    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "WJ" <JWebbMsn2.Com> wrote in message
    news:OSam773HEHA.3536TK2MSFTNGP09.phx.gbl...
    >
    > "Framework fan" <tempframeworkfanhotmail.com> wrote in message
    > news:f109ac80.0404100653.7a9ba1c2posting.google.c om...
    > > Hello.
    > >
    > > If I have this line of code inside my ASP.NET app:
    > >
    > > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
    > >
    > > Can a very experienced hacker do either of the following:
    > >
    > > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
    > > order to obtain the hard coded key above.
    > >
    >
    > Depend on how tight your ACL is enforced at your server where the DLL is
    > hosted. I would check this first to make sure only the intended users have
    > access to it. I would offuscate my code if it is that sensitive.
    Hardcoding
    > secret key in an application is a common practice. Just name things
    > different than suggested by some best programming pratices to make life
    > harder for hackers. This means that in some cases, you need to be abnormal
    > in your programming style.
    >
    > > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
    > > it is actually executing on the server, and then kind of "syphon off"
    > > the data that is flying about the machine's data ports, in order to
    > > "catch / filter off" the secret key.
    > >
    >
    > Chances for this to happen is very slim unless there is an iider help.
    >
    > John
    >
    >

    Paul Glavich [MVP - ASP.NET] Guest

  4. #4

    Default Re: Could a hacker achieve this?

    Thank you for everyone's input.

    "Paul Glavich [MVP - ASP.NET]" <glavaspalliance.com-NOSPAM> wrote in message news:<#ESq827HEHA.3356TK2MSFTNGP11.phx.gbl>...
    > Stealing the DLL is one task and probably the hardest. As was mentioned in
    > another post, it depends on how you have your security configured. If we
    > assume a standard .Net app with the DLL in the bin folder, no explicit ACL
    > set by yourself, then while it is possible, its not too easy. The more your
    > machine is locked down, the harder it is for a hacker to get in and grab
    > some code libraries.
    >
    > Now if we assume that the hacker has gained entry to your machine and can
    > get your assemblies, then how hard would it be to have a look at your secret
    > code. Well, without obfuscating your code, it would actually be quite easy.
    > Obfuscating your code makes it considerably harder, but certainly not
    > impossible. John mentioned that hardcoding the secret key is quite common,
    > but it is bad practice. Ideally, you should probably extract it from
    > somewhere that keeps it in an encrypted form also. Ideal for this situation
    > is the DPAPI libraries. Typically, you can decrypt data only on the machine
    > it was encrypted on (or only by the user it was encrypted by), with DPAPI
    > handling the key storage for you. So if the hacker got your code, it would
    > simply be referencing a key on the local machine, which is also encrypted.
    > If the hacker then manages to get that encrypted key, they cant decrypt on
    > anyother machine, so its useless to them.
    >
    > So you could either use DPAPI for all your encryption needs or just to
    > store/encrypt the encryption key that you will be using. DPAPI is an
    > unmanaged set of libraries/functions, but there is a managed wrapper with
    > example code to be found here.
    > [url]http://weblogs.asp.net/pglavich/archive/2004/03/15/89687.aspx[/url]
    >
    >
    > --
    > - Paul Glavich
    > Microsoft MVP - ASP.NET
    >
    >
    > "WJ" <JWebbMsn2.Com> wrote in message
    > news:OSam773HEHA.3536TK2MSFTNGP09.phx.gbl...
    > >
    > > "Framework fan" <tempframeworkfanhotmail.com> wrote in message
    > > news:f109ac80.0404100653.7a9ba1c2posting.google.c om...
    > > > Hello.
    > > >
    > > > If I have this line of code inside my ASP.NET app:
    > > >
    > > > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
    > > >
    > > > Can a very experienced hacker do either of the following:
    > > >
    > > > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
    > > > order to obtain the hard coded key above.
    > > >
    > >
    > > Depend on how tight your ACL is enforced at your server where the DLL is
    > > hosted. I would check this first to make sure only the intended users have
    > > access to it. I would offuscate my code if it is that sensitive.
    > Hardcoding
    > > secret key in an application is a common practice. Just name things
    > > different than suggested by some best programming pratices to make life
    > > harder for hackers. This means that in some cases, you need to be abnormal
    > > in your programming style.
    > >
    > > > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
    > > > it is actually executing on the server, and then kind of "syphon off"
    > > > the data that is flying about the machine's data ports, in order to
    > > > "catch / filter off" the secret key.
    > > >
    > >
    > > Chances for this to happen is very slim unless there is an iider help.
    > >
    > > John
    > >
    > >
    Framework fan Guest

Similar Threads

  1. and Randal L. Schwartz the hacker
    By Tassilo v. Parseval in forum PERL Miscellaneous
    Replies: 13
    Last Post: August 21st, 11:35 PM
  2. hacker has changed homepage
    By sylvia in forum Windows Setup, Administration & Security
    Replies: 2
    Last Post: July 17th, 07:28 AM
  3. Hacker or Virus deleted my files.
    By paints2003 in forum Windows XP/2000/ME
    Replies: 0
    Last Post: July 4th, 04:55 AM
  4. hacker gained access
    By ian henry in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 2nd, 02:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139