Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Could a hacker achieve this?

Reply
Thread Tools

Could a hacker achieve this?

 
 
Framework fan
Guest
Posts: n/a
 
      04-10-2004
Hello.

If I have this line of code inside my ASP.NET app:

EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")

Can a very experienced hacker do either of the following:

1. "Steal" the DLL from the server, then reverse engineer the DLL in
order to obtain the hard coded key above.

2. (Much more clever) kind of "listen in to / tap in to" the DLL as
it is actually executing on the server, and then kind of "syphon off"
the data that is flying about the machine's data ports, in order to
"catch / filter off" the secret key.

-Frameworker.
 
Reply With Quote
 
 
 
 
WJ
Guest
Posts: n/a
 
      04-11-2004

"Framework fan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hello.
>
> If I have this line of code inside my ASP.NET app:
>
> EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
>
> Can a very experienced hacker do either of the following:
>
> 1. "Steal" the DLL from the server, then reverse engineer the DLL in
> order to obtain the hard coded key above.
>


Depend on how tight your ACL is enforced at your server where the DLL is
hosted. I would check this first to make sure only the intended users have
access to it. I would offuscate my code if it is that sensitive. Hardcoding
secret key in an application is a common practice. Just name things
different than suggested by some best programming pratices to make life
harder for hackers. This means that in some cases, you need to be abnormal
in your programming style.

> 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
> it is actually executing on the server, and then kind of "syphon off"
> the data that is flying about the machine's data ports, in order to
> "catch / filter off" the secret key.
>


Chances for this to happen is very slim unless there is an iider help.

John


 
Reply With Quote
 
 
 
 
Paul Glavich [MVP - ASP.NET]
Guest
Posts: n/a
 
      04-11-2004
Stealing the DLL is one task and probably the hardest. As was mentioned in
another post, it depends on how you have your security configured. If we
assume a standard .Net app with the DLL in the bin folder, no explicit ACL
set by yourself, then while it is possible, its not too easy. The more your
machine is locked down, the harder it is for a hacker to get in and grab
some code libraries.

Now if we assume that the hacker has gained entry to your machine and can
get your assemblies, then how hard would it be to have a look at your secret
code. Well, without obfuscating your code, it would actually be quite easy.
Obfuscating your code makes it considerably harder, but certainly not
impossible. John mentioned that hardcoding the secret key is quite common,
but it is bad practice. Ideally, you should probably extract it from
somewhere that keeps it in an encrypted form also. Ideal for this situation
is the DPAPI libraries. Typically, you can decrypt data only on the machine
it was encrypted on (or only by the user it was encrypted by), with DPAPI
handling the key storage for you. So if the hacker got your code, it would
simply be referencing a key on the local machine, which is also encrypted.
If the hacker then manages to get that encrypted key, they cant decrypt on
anyother machine, so its useless to them.

So you could either use DPAPI for all your encryption needs or just to
store/encrypt the encryption key that you will be using. DPAPI is an
unmanaged set of libraries/functions, but there is a managed wrapper with
example code to be found here.
http://weblogs.asp.net/pglavich/arch.../15/89687.aspx


--
- Paul Glavich
Microsoft MVP - ASP.NET


"WJ" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Framework fan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Hello.
> >
> > If I have this line of code inside my ASP.NET app:
> >
> > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
> >
> > Can a very experienced hacker do either of the following:
> >
> > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
> > order to obtain the hard coded key above.
> >

>
> Depend on how tight your ACL is enforced at your server where the DLL is
> hosted. I would check this first to make sure only the intended users have
> access to it. I would offuscate my code if it is that sensitive.

Hardcoding
> secret key in an application is a common practice. Just name things
> different than suggested by some best programming pratices to make life
> harder for hackers. This means that in some cases, you need to be abnormal
> in your programming style.
>
> > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
> > it is actually executing on the server, and then kind of "syphon off"
> > the data that is flying about the machine's data ports, in order to
> > "catch / filter off" the secret key.
> >

>
> Chances for this to happen is very slim unless there is an iider help.
>
> John
>
>



 
Reply With Quote
 
Framework fan
Guest
Posts: n/a
 
      04-12-2004
Thank you for everyone's input.

"Paul Glavich [MVP - ASP.NET]" <(E-Mail Removed)-NOSPAM> wrote in message news:<#(E-Mail Removed)>...
> Stealing the DLL is one task and probably the hardest. As was mentioned in
> another post, it depends on how you have your security configured. If we
> assume a standard .Net app with the DLL in the bin folder, no explicit ACL
> set by yourself, then while it is possible, its not too easy. The more your
> machine is locked down, the harder it is for a hacker to get in and grab
> some code libraries.
>
> Now if we assume that the hacker has gained entry to your machine and can
> get your assemblies, then how hard would it be to have a look at your secret
> code. Well, without obfuscating your code, it would actually be quite easy.
> Obfuscating your code makes it considerably harder, but certainly not
> impossible. John mentioned that hardcoding the secret key is quite common,
> but it is bad practice. Ideally, you should probably extract it from
> somewhere that keeps it in an encrypted form also. Ideal for this situation
> is the DPAPI libraries. Typically, you can decrypt data only on the machine
> it was encrypted on (or only by the user it was encrypted by), with DPAPI
> handling the key storage for you. So if the hacker got your code, it would
> simply be referencing a key on the local machine, which is also encrypted.
> If the hacker then manages to get that encrypted key, they cant decrypt on
> anyother machine, so its useless to them.
>
> So you could either use DPAPI for all your encryption needs or just to
> store/encrypt the encryption key that you will be using. DPAPI is an
> unmanaged set of libraries/functions, but there is a managed wrapper with
> example code to be found here.
> http://weblogs.asp.net/pglavich/arch.../15/89687.aspx
>
>
> --
> - Paul Glavich
> Microsoft MVP - ASP.NET
>
>
> "WJ" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >
> > "Framework fan" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > Hello.
> > >
> > > If I have this line of code inside my ASP.NET app:
> > >
> > > EncryptTripleDES("String to encrypt", "MySecretKeyXYZ!!!")
> > >
> > > Can a very experienced hacker do either of the following:
> > >
> > > 1. "Steal" the DLL from the server, then reverse engineer the DLL in
> > > order to obtain the hard coded key above.
> > >

> >
> > Depend on how tight your ACL is enforced at your server where the DLL is
> > hosted. I would check this first to make sure only the intended users have
> > access to it. I would offuscate my code if it is that sensitive.

> Hardcoding
> > secret key in an application is a common practice. Just name things
> > different than suggested by some best programming pratices to make life
> > harder for hackers. This means that in some cases, you need to be abnormal
> > in your programming style.
> >
> > > 2. (Much more clever) kind of "listen in to / tap in to" the DLL as
> > > it is actually executing on the server, and then kind of "syphon off"
> > > the data that is flying about the machine's data ports, in order to
> > > "catch / filter off" the secret key.
> > >

> >
> > Chances for this to happen is very slim unless there is an iider help.
> >
> > John
> >
> >

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Teen Hacker arrested over Cisco attack Random Guy Cisco 0 05-10-2005 04:43 PM
Hacker System f5 lopi Microsoft Certification 0 12-19-2004 12:23 PM
POSSIBLE OFF-TOPIC: hacker-type personality in corporate lifestyle D E Java 4 06-30-2004 10:58 AM
[NEWS] Hacker code could unleash Windows worm The Other Guy Computer Security 7 07-30-2003 04:22 AM
I want to be a hacker/nerd b4 I die. Ghost issues (now and after I die) O.Phooey Computer Support 4 07-05-2003 08:35 PM



Advertisments