I have a bunch of AES256-encrypted ZIP containers (using DotNetZip), and I am writing a program to help the user understand what is inside them. I would ship the “Launcher” program with XML doc which I am also encrypting the “metadata” so to speak in AES256 as well. I was considering encrypting the password to the various (1-10+ zip files) in a strong AES256 string within the XML document for convenience (so the user only has to enter it once). It unsettles me, but what little “usability” tests we have done has shown people don’t want to enter a password 7 times.
So, assuming the string is fully encrypted within the XML/dat/whatever file, how much do I detour the other “factors” within my program? I would have to hard-code the decryption/IV/salt/etc (or at least pass it to a deypcrtion method) no?
I’ve been trying to understand what things like DotNetCrack (http://www.dotnetcrack.com/) can easily get from my program. I know that nothing is perfect and memory dumping is a huge problem, but I want to at least detour the really easy “script kiddie” sort of stuff.
I’ve looked at secure-string, but it seems like a silly solution in-so-far you have to decrypt eventually anyways.
EDIT for clarity — The ZIP files are self-extractors, e.g. just zip files wrapped into the EXE. They may be zips, either way it doesn’t matter. My program is just to help somebody extract all the contents without having to click each one AND help them navigate through the ZIPs which may be confusing to a novice user.
All my program is doing is reading the XML file with “data” about each zip (e.g. zip001 is “information from john smith etc etc” — but the zip file name is something like BOBSMITH_INFO_001.EXE (.zip).
how much do I detour ?! that’s the question. when we talk about obfuscation e battle between cracker and programer never ends so basically as much as you can. to stop a script kiddie the basic technics like hardcoding an encrypted version of key and decrypting it before use should work but then again that depends on how motivated your script kiddie is!
that said you can check Reflector and ILDASM (in vs tools) to see that any hardcoded string is found in few seconds! you should also know that the .net is compiled to IL which is a very high level and hence easy to read intermidiate language. so a very simple obfuscation like XOR ing the key and hardcoding it is easy to track even by a script kidie.
As for the solution, use multi levels of encryption. keep the key splited in multiple places encrypted. and even better try write an algorithm that generates the key in runtime. after you did all that, Use an Obfuscator to complicate the thing even further.
Good luck.