Is this encryption class sufficiently secure? Or can someone disassemble my binary to find the key and IV? I’m using it to decrpyt license files so it’s quite important that it can’t be easily broken.
internal static class Encryptor
{
// Actual values are put here in my source
private static readonly byte[] Key = { 0, 0, 0, 0, 0, 0, 0, 0 };
private static readonly byte[] Iv = { 0, 0, 0, 0, 0, 0, 0, 0 };
internal static String Encrypt(string source)
{
var des = new DESCryptoServiceProvider();
var enc = des.CreateEncryptor(Key, Iv);
var b = Encoding.ASCII.GetBytes(source);
var encId = enc.TransformFinalBlock(b, 0, b.Length);
return Convert.ToBase64String(encId);
}
internal static string Decrypt(string encrypted)
{
var des = new DESCryptoServiceProvider();
var dec = des.CreateDecryptor(Key, Iv);
var b = Convert.FromBase64String(encrypted);
var decId = dec.TransformFinalBlock(b, 0, b.Length);
return Encoding.ASCII.GetString(decId);
}
}
This is similar to this question and this one, but neither seem to have a clear answer (as far as I can understand – and I admit to being a complete beginner on this topic). Please advise. 🙂
Yes, this is easily broken. Any developer with knowledge of tools such as Reflector (or ILSpy, or dotPeek, or …), will have no trouble identifying the encryption function and finding your key. Someone who has the assembly will even be able to call
Decryptdirectly, not bothering with extracting the key.Is it sufficiently secure ? It depends, only you can answer that. If this is for licensing, it is the equivalent of putting a sticker on a box saying “Don’t copy my software”. On the other hand, making a robust licensing scheme that is hard to break for an experienced and determined attacker, is a large undertaking, and you might want to consider if it is worth the effort. Personally, I would invest my time in making the software so awesome, that people will want to pay for it, rather than stopping a small number of bad guys from using it unlicensed.