如何保护解密密钥免于反编译? [英] How to protect decryption key from decompilation?
问题描述
解密密钥被硬编码到软件中,因此可以通过分析字节码来看待。
我知道逆向工程不能完全阻止,我试图做的是尽可能的努力。
我的想法不是直接把钥匙放入我的代码,而是通过某种转换。
例如,我可以写 -
private static final byte [] HC256A = Hex
.decode (8589075b0df3f6d82fc0c5425179b6a6
+3465f053f2891f808b24744e18480b72
+ec2792cdbf4dcfeb7769bf8dfa14aee4
+7b4c50e8eaf3a9c8f506016c81697e32);
这样一来,看着字节码的人不能立即读取它。但是,必须遵循逻辑并对其进行转换,这在字节级别上不会那么容易。
那么你们认为什么?这是有用的吗?什么可能是十六进制解码以外的最佳转换?
有没有其他方法可以保护硬编码的解密密钥?
感谢您的所有建议。
攻击这种混淆的正确方法(特别是字节码语言)是将调试器附加到密钥传递的地方(如果调试不可行,请从该地方开始分析代码)。这样一来,攻击者根本就不需要查找密钥,他不在乎密钥是如何混淆的。所以你需要重新考虑你的设计。
如果你只想保护业余潜伏者,那么分割键和XORing它的部分(可能用不同的键)就足够了。另一个技巧 - 从代码中已经存在的文本常量(如应用程序名称)导出密钥。这使得关键不如分裂或异或显而易见。
I'm a beginner java programmer. I'm working on an application that decrypts some data. The decryption key is hardcoded into the software and thus can be seen by analyzing the bytecode.
I know that reverse engineering cannot be prevented entirely so what I'm trying to do is to make the process as hard as possible.
My idea is not to directly put the key into my code but have it go through some kind of transformation. For example, I could write -
private static final byte[] HC256A = Hex
.decode("8589075b0df3f6d82fc0c5425179b6a6"
+ "3465f053f2891f808b24744e18480b72"
+ "ec2792cdbf4dcfeb7769bf8dfa14aee4"
+ "7b4c50e8eaf3a9c8f506016c81697e32");
This way someone looking at the bytecode can't read it straight away. But will have to follow the logic and apply transformations to it, which won't be that much easier at byte level.
So what do you guys think? Is this useful? What could be the be the best transformation other than hex decoding? Are there any other methods available to protect hardcoded decryption keys?
Thanks for all your suggestions.
Right way to attack such obfuscation (especially in bytecode languages) is to attach debugger to the place to which the key is passed (if debugging is not possible, start analyzing code from that place). This way the attacker doesn't need to look for the key at all and he doesn't care how obfuscated the key is. So you need to re-think your design.
If you only want to protect from the amateur lurkers, then splitting the key and XORing it's parts (possibly with different keys), would be enough. One more trick - derive the key from text constants already present in the code (such as application name). This makes the key less obvious than splitting or XORing.
这篇关于如何保护解密密钥免于反编译?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
