LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-31-2006, 12:38 PM   #1
andystanfordjason
Member
 
Registered: Oct 2006
Location: england
Distribution: fedora 6
Posts: 38

Rep: Reputation: 15
Safely including private key in application


Hi,
I'm writing an app that needs to be able to decrypt files encrypted by my web server. Is there a safe way to include the private key in my compiled application so the a user/hacker will be unable to extract it from the compiled code?

Cheers
 
Old 12-31-2006, 01:56 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
I'm no security expert, but I do know a little about programming, and a little about reverse engineering of compiled code. If your key is embedded directly in the object code, say as a static array of integers or characters, it would be possible to find and extract that array from the object code. That is not to say it would be obvious which bytes within the object module would constitute it, but it would be there. A fairly trivial second level of security would entail encrypting the key prior to compiling the source code, and then decrypting the key at runtime. This would prevent the key from being stored 'as-is' within the object code. Depending upon how you perform the runtime decryption, it may still leave the key exposed as a complete entity within a memory image, which may get created as a core dump, or other deliberate tactic used to reverse engineer your code. You may be able to defeat this approach somewhat, by having your decrypted key stored in scattered locations in memory, or by never storing the fully decrypted key at any one time.
Hope this helps, and I hope a real expert can add to this discussion.

--- rod.
 
Old 12-31-2006, 01:59 PM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Why wouldn't you use the public key in the app and have the webserver encrypt with the private key?
 
Old 01-01-2007, 03:17 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Quote:
Originally Posted by Hangdog42
Why wouldn't you use the public key in the app and have the webserver encrypt with the private key?
OP said he needs to decrypt files that have already been encrypted. Decryption requires the private key.

As theNbomr mentioned you could encrypt the private key and include it in your binary. Another option would be to store the private key in a separate keystore vault, also encrypted. You would of course need to read a key to decrypt the keystore (whether it's in executable binary, or separate). Basically your options there are to read a string from a root:root -r------- mode file, or require the operator to type in a passphrase when the application starts up (assuming it's running as a daemon).
 
Old 01-01-2007, 07:44 PM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,884
Blog Entries: 4

Rep: Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997Reputation: 3997
Your approach is fundamentally flawed: you cannot "hide" a private-key anywhere and expect it not to be discovered. You have committed the cardinal sin of "security through obscurity."

You must arrange a system whereby the only key that is embedded into the application is a public one.

Otherwise, basically you are just doing "symmetric encryption in asymmetric clothing," which is just "symmetric." If that is the case, then you may as well just use DES and be done with it.
 
Old 01-03-2007, 03:47 PM   #6
zidane_tribal
Member
 
Registered: Apr 2005
Location: chained to my console.
Distribution: LFS 6.1
Posts: 143

Rep: Reputation: 18
Quote:
Originally Posted by andystanfordjason
Hi,
I'm writing an app that needs to be able to decrypt files encrypted by my web server. Is there a safe way to include the private key in my compiled application so the a user/hacker will be unable to extract it from the compiled code?

Cheers

whilst i am certainly no expert, i would suggest not. i expect that with a little hard work someone could find your decryption routine, establish a breakpoint and gather the key from there.

i am curious though as to what would need a binary application to download encrypted updates and use them in a manner that cant be decrypted...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
public/private key authentication with PuTTY NetAX Linux - Security 5 10-27-2004 06:00 PM
mod_ssl cannot find a private key ner Linux - General 5 03-23-2004 11:42 AM
if they got my gpg private key...... qwijibow Linux - Security 1 10-21-2003 12:22 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM
private key compromised sourian Linux - Security 4 04-17-2002 06:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration