在已编译的应用程序中隐藏密码/密钥 [英] Hiding passwords / keys in compiled application
问题描述
在我的C应用程序中,我有一个解密密钥,该密钥用于解密数据库中的集(用户名/密码)。目前,我只是用
In my C application I have a decryption key that is used to decrypt sets in the database (username / password). Currently, I simply declared it with
char * key = "$$$secretSampleDecryptionKey$$$";
在那行之后不久,我准备了SQL语句,然后从数据库中选择。我的问题是,如果有人要调试我的已编译应用程序或将其反汇编,他们实际上会看到密钥吗?我该怎么做才能将它们隐藏起来?
Shortly after that line, I prepare the SQL statement and then select from the DB. My question is, if someone was to debug my compiled application or dissassemble it, will they actually see the key? What can I do to hide it from them?
编辑:
正如Mark和Aaron指出的那样,可以简单地使用Linux / Unix字符串命令
As Mark and Aaron pointed out, I can simply use the Linux / Unix strings command
strings nameOfApplication
打印出应用程序中的所有字符串,包括秘密键。
to print out all the strings in my application, including the "secret" key.
编辑2:
该应用程序在我的服务器上运行,并且数据库存储了已加密的敏感客户数据。我以为没有在文件中供所有人阅读但可以编译它,所以我很安全。
The app runs on my server and the database stores sensitive customer data that is encrypted. I thought I was playing it safe by not having the key in a text file for everyone to read but compile it instead.
推荐答案
一个有趣的链接,涉及某人从二进制文件中检索密码的故事:
An interesting link relating the story of someone retrieving a password from a binary :
这是有关某人可能尝试发现密码的逐步说明。它将使您对不可以做什么有所了解。例如,使用命令 strings 是列表中的第一项。
This is a step-by-step description of what someone could try to discover a password. It will give you some idea of what "not to do". The use of the command strings is the first item in the list for example.
如果要隐藏自己的 strings 中的秘密字符串,您可以将其存储为不以 \0 字符终止的char数组。 字符串不应捡起它。
If you want to hide your secret string from strings, you can store it in as a char array not terminated with \0 character. strings should not pick it up.
还提到了一个不错的技巧(可以绕过),以避免有人
There is also a nice trick mentioned (which is bypassed) to avoid someone to use a strace/ltrace on your binary.
最终,通过反汇编代码,黑客设法检索密码,正如其他人指出的那样,很难防范。基本上,您无法真正将任何内容隐藏在二进制文件中。
Ultimately by disassembling the code, the "hacker" manage to retrieve the password, which as other have pointed out is difficult to protect against. Basically you can't really hide anything in a binary...
这篇关于在已编译的应用程序中隐藏密码/密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
