It is possible to find a specific byte array in a .NET assembly?

StackOverflow https://stackoverflow.com/questions/15816941

Question

How easy would it be for a someone to decompile/disassemble/reflect over a .NET Assembly compiled in release mode to find the contents of a specific byte array?

Is it a good idea to implement a security mechanism that relies on a specific key (stored in the C# code as a byte array) being secret?

I tried .NET reflector and didn't find my own security key, but I was wondering if this information would be "safe enough".

Are there any safer places to store the secret than in the assembly?

Was it helpful?

Solution 2

I agree with others that getting the secret byte array from an assembly would be simple.

But there is a more general principle at play: if your security depends on the secrecy of some key, you should really make sure this key is never on a potentially compromised computer.

It doesn't matter if you use native C++ and/or use some sort of obfuscation, or something like that. When some key is on a computer of an user you don't trust, you should act as if the user knew that key.

In other words: the only safe place for such key is on a server you control and whose security you trust.

OTHER TIPS

Do not store secrets inside a .Net assembly which are accessible to people you don't trust. Decompiling an assembly is trivial an there are numerous tools available to do so. It would be easy to ferret out any secrets you put in there

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top