How to hide keys in application?

Question

I have a C++ client/server application where the client and server are my executable. Each time a connection is made between the client and server, I generate a new encryption key for that session and I wish to transmit this session key and encrypt this session key using a static key that is built into both the client and server.

However, running strings on my executable reveals the static key.

How can I hide the embedded static key in my client and server application so that they are not easily extracted and thus allowing someone to decode my session key.

Answer 1

His method of exchanging keys "ensures" the client is valid and not an impostor. Just securely exchanging keys using D-H won't do that. In order to get the same functionality he'll need to implement a PKI system. SSL/TLS was built for this purpose which underneath it will do what he needs.

You'll need to create a CA for your server and sign client certificates to ensure that they are who they say they are.

Answer 2

There are solutions to this problem that don't involve trying to hide keys (which, in general, is impossible). For example, Diffie-Hellman key exchange allows the client and server to negotiate a new secret session key without ever sending it over the wire.

Answer 3

So, you're planning on hiding your secret (the key in the executable) with an especially hard to undo method that can only be undone if you know the secret of the method, which you also need to hide with a new super secret method that can only be undone if you know the secret of that method, which we need to hide with another secret method requiring another secret that we need to hide...

This is a "problem overflow". I hope you can see you won't solve it this way. Generate the keys per computer (ssh/sshd does this) and protect those. The same problem above actually applies, because if I get that key it's still game up, but this way you don't hard code it into your solution meaning fixing a compromised key is much easier.