Protect private key in Qt application
I have a Qt application written in C ++ that uses an SSL connection (QSslSocket) with another application for added security. However, the app has a private key embedded in it.
In applications like Process Explorer, it is very easy to pull out the private key. (File Properties -> Strings)
Security is not very important to my application, but it would be nice to make it a little harder to get the private key from my application. Is there a way?
source to share
You may need to tackle your problem from a different angle.
I agree with Shoosh's answer that no matter what you do, someone with the right tools and knowledge will be able to smash your code and figure out your secret key.
What you need to do is either supplant the data or mitigate the risks if your private keys are found.
The best way to externalize any private data is to encrypt it with the user's password, which must be entered by the user to be used. Unfortunately, this is not very smart for most applications.
To mitigate the risks, I usually try to ensure that only one "installation" is compromised if security is compromised.
For example, randomly generate private key data during installation.
For client / server applications, you can follow the https model and use a public / private key relationship to exchange a randomly generated encryption key.
If each client installation has its own public / private key then the server can indicate which clients are connecting and also if there is a problem they can deny clients.
Hope it helps.
source to share
"strings" only detect blocks that are actual Ascii / UTF8 / Unicode strings. If you keep your key as a binary buffer, then there is nothing to differentiate it from random binary data, which is usually ignored.
Other than that, there are much smarter programs like IDA and OllyDebug that allow the user to completely parse or even decompile your program and grab the key no matter what you try.
source to share
Glue it together using a simple symmetric algorithm. For example, define arrays cryptedData
and cryptedDataKey
so that the n
-th byte of your private key can be retrieved with cryptedData[cryptedDataKey[n]]
. This will save you from looking at your executable with a text editor, but it won't help against a more or less experienced person.
Also, if you have persistent connections with QSslSocket
runtime, chances are the private key is kept in memory as it is. So only modifying the QT library is a way to manipulate the representation of keys in memory.
source to share