Subject: Re: [boost] [encrypted strings]
From: Francois Barel (frabar666_at_[hidden])
Date: 2009-04-28 01:57:00
Sid Sacek wrote:
> You make some good points. I think the strings need to stay obfuscated
> until they're used and then discarded immediately afterwards.
The timespan during which the strings are decrypted doesn't matter
much unless the cracker is randomly scanning memory... what matters
more is what is done with those strings. Something to keep in mind is
that a cracker can look at the "other end": as coded as the string is
originally / wherever it comes from, once it is decoded it will
probably be used... for something, right? If this is done in an
unprivileged process (a user process), all that trouble was useless.
For instance if this string is a SQL connection login/password, you
don't even have to look for anything concerning the encrypted string.
It's much simpler to just attach to the running process with a
debugger, set a breakpoint on the DB API's method where the app gives
the password to that API (almost guaranteed to be in cleartext, or at
the very least replayable), look at the args when the breakpoint is
hit, and voilà! you have the password. By experience (in this very
case, get a decrypted SQL password by setting a breakpoint in OLE DB)
this takes less than 10 minutes.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk