Sid Sacek wrote:
You make some good points. I think the strings need to stay obfuscated until they're used and then discarded immediately afterwards.
The timespan during which the strings are decrypted doesn't matter much unless the cracker is randomly scanning memory... what matters more is what is done with those strings. Something to keep in mind is that a cracker can look at the "other end": as coded as the string is originally / wherever it comes from, once it is decoded it will probably be used... for something, right? If this is done in an unprivileged process (a user process), all that trouble was useless. For instance if this string is a SQL connection login/password, you don't even have to look for anything concerning the encrypted string. It's much simpler to just attach to the running process with a debugger, set a breakpoint on the DB API's method where the app gives the password to that API (almost guaranteed to be in cleartext, or at the very least replayable), look at the args when the breakpoint is hit, and voilà ! you have the password. By experience (in this very case, get a decrypted SQL password by setting a breakpoint in OLE DB) this takes less than 10 minutes. Regards, François