Protecting Secret Keys from Hackers

If you have sensitive login information to a service, how to you protect it in code from people who might decompile your app?

For example, I have code like this that talks to AWS. How would I protect my secret key? I could encrypt the property locally but it would have to be decrypted before it was used to login (via the handy MBS Curl utility) and that presumably would make it insecure.

// Prepare the cURL for the S3 API call.
Dim CurlSetup As Boolean = Curl.SetupAWS( AccessKey, SecretKey, Region, Service, Path, Domain, Verb, HashedPayload, Headers )

One easy way to do this is to make a method and convert the entire string to chr() calls. If you want to add another layer, use an array and jumble the order when the array is created and sort them out before returning.

https://thezaz.com/code/obfuscate/

1 Like

But even if I did something like that:

SecretKey = chr(1) + chr(2) + chr(3) // etc
Login(Name, SecretKey) // SecretKey now exists in memory as clear text

Then the SecretKey exists in memory decoded in plain text at this point. Couldn’t that then be viewed by a hacker?

Only for the moment that the string is in use. Make sure it goes out of scope or is set back to an empty string immediately after use.

Oh, thanks to you and @Thom_McGrath. That’s a snazzy utility!

Doesn’t solve the in-memory viewing but does make things more difficult for a hacker.

1 Like

Ok. Thanks. I guess its better than no protection. Why do I feel like there’s a NSFW coding joke waiting in here…

1 Like

Just bear in mind, before you go too deep into the rabbit hole. Whatever you do, can be seen by an experienced hacker.

Some protection is good as it cuts down the number of people who can extract secret keys, but not all.

By the way, please change it! “12345” is the same combination as my luggage :wink:

2 Likes

That’s some mighty secure luggage. Wasn’t the code for the nuke launch at one of the bases 1111?

1 Like

Also, make sure you are solving a problem that you actually have. As Sam said, an experienced hacker can access anything they want to, but that also usually means physical access to the machine, which also means having had compromised one of the humans that use that machine, etc.

Well, I’m assuming that my compiled app freely available to download could be disassembled and the memory contents viewed in an assembler IDE…?

1 Like

https://www.pelock.com stops hackers from even debugging the source code

Interesting. Pity its only 32 bit Win apps.

Yes, that’s true, but is it readily obvious that your app does this and is the information sensitive enough that a hacker is going to seek it out and use it nefariously?

Dealing with hackers is always a balancing act. To put it simply, you need to make it complicated enough that they realize that there are other easier targets in terms of time and reward, but not so complicated that you spend all of your life protecting it from them.

Think of alarm system signs on a house. If someone were to see one in your yard, that’s often enough to have them move on to another location without even checking to see if you are home because there are other homes with equally valuable things in them which don’t have intrusion detection systems.

Unless they know that you have something that no one else has and which they really want. Same as hackers.

2 Likes

keep in mind that a dll can be replaced by a dll with the same name and methods to read all parameters.
and this special dll call the real dll methods then. you will not notice this.
instead of giving all apps/users the same “password” its better that each user have its own login or secret.

or perhaps using your own Web API on a server somewhere and access AWS that way.

2 Likes

Don’t put your keys in the app.
Have the app talk to your server to authenticate user and send files to your server, which stores them.

Or for direct upload generate temporary logins or presumed upload urls.

So for every call to AWS, my desktop app would have to talk to a custom web app to relay the information? That kinda feels like it defeats the purpose of AWS…

With pre-signed upload URLs, you could query your web app, send a request, get back a JSON with the URL inside and then do the upload to S3 directly.

Hmmm. One of the reasons I’m using AWS is because I’m hammering it with dozens (later hundreds) of read requests a second and its cheap. So my on web app would have to generate all those URLs each time?