Ask a Question related to ASP.NET Security, Design and Development.
-
Tim Mackey #1
secret key string visible in dll
hi,
i am using 3des encryption with a secret key to send information between 2 aspnet applications. they both know the key, which is a hard-coded string. i have read about using aspnet-setreg to securely store such a value in the registry, but i have a different query.
if i open the dll in notepad, i can read the secret key, which obviously is no good. i tried changing the code to use a number as the secret key, calling .ToString() on the number. I then recompile and open up the dll in notepad and i can't find the number, which seems better. i don't know a thing about disassembling .net executables, so i'd like to know if the key is safe, hard-coded in the dll, in numeric form?
granted a numeric key has less combinations than a string version, but adding more digits will go some of the way to help that.
thanks for any help
tim mackey.
Tim Mackey Guest
-
ssl secret key available to asp.net page?
Hi, To make a solution avoiding session ID hijacking work for cookie-less mode, I would like to record some unique property of the ssl session... -
What's the secret to runaround type in PS7?
Hi guys. I'm trying to use Return and Space to run type around some pix (see ascii sample below) but In In the text tool marquis work area,... -
Discover the secret!
It took months to build this system, created from the mind and financed from the pockets of a self-made internet millionaire, so it is perfect. IT... -
Any way to get a look a the Secret Life of Gradients?
Is there any way to get the x,y coordinates of the start and end points of a gradient line respective of the bounding box of its parent object? ... -
Where to store secret information
Search microsoft.com for the tool aspnet_setreg - it allows you to store secret information encrypted in a tightly ACLed registry key. -- Chris... -
Joe Kaplan \(MVP - ADSI\) #2 Re: secret key string visible in dll
With a tool like Reflector or Anakrino, it would be trivially easy to
decompile your assembly to discover how you are getting the key if it is
hard coded in the assembly. However, if you can protect access to the
assembly, then this may still be safe. It really depends on who will have
access to it.
Storing secrets is a very hard problem
Joe K.
"Tim Mackey" <anonymous@discussions.microsoft.com> wrote in message
news:7A875CEA-DD4E-4DB8-8397-3D6FC41F06AC@microsoft.com...aspnet applications. they both know the key, which is a hard-coded string.> hi,
> i am using 3des encryption with a secret key to send information between 2
i have read about using aspnet-setreg to securely store such a value in the
registry, but i have a different query.is no good. i tried changing the code to use a number as the secret key,> if i open the dll in notepad, i can read the secret key, which obviously
calling .ToString() on the number. I then recompile and open up the dll in
notepad and i can't find the number, which seems better. i don't know a
thing about disassembling .net executables, so i'd like to know if the key
is safe, hard-coded in the dll, in numeric form?adding more digits will go some of the way to help that.>
> granted a numeric key has less combinations than a string version, but>
> thanks for any help
> tim mackey.
Joe Kaplan \(MVP - ADSI\) Guest
-
Tim Mackey #3 Re: secret key string visible in dll
Hi Joe,
many thanks for the clarification. i thought i might have stumbled on a good way of storing secret keys, as numbers, but it's re-assuring to hear from an expert that it still wouldn't be secure if access to the assembly file was compromised.
cheer
ti
Tim Mackey Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
