Techniques for obscuring sensitive strings in C++

Question

I need to store sensitive information (a symmetric encryption key that I want to keep private) in my C++ application. The simple approach is to do this:

std::         


        

Answer 1

As was said before, there's no way to totally protect your string. But there are ways to protect it wis a reasonable safety.

When I had to do this, I did put some innocent looking string into the code (a copyright notice, for example, or some faked user prompt or anything else that won't be changed by someone fixing unrelated code), encrypted that using itself as a key, hashed that (adding some salt), and used the result as a key to encrypt what I actually wanted to encrypt.

Of course this could be hacked, but it does take a determined hacker to do so.

Answer 2

If you are on windows user DPAPI, http://msdn.microsoft.com/en-us/library/ms995355.aspx

As a previous post said if you are on mac use the keychain.

Basically all of these cute ideas about how to store your private key inside your binary are sufficiently poor from a security perspective that you should not do them. Anyone getting your private key is a big deal, don't keep it inside your program. Depending on how import your app is you can keep your private keys on a smart card, on a remote computer your code talks to or you can do what most people do and keep it in a very secure place on the local computer (the "key store" which is kind of like a weird secure registry) that is protected by permissions and all the strength of your OS.

This is a solved problem and the answer is NOT to keep the key inside your program :)