How to protect key in software

Question

I need to encrypt/decrypt data from my software by AES, the problem is how to make the AES key secure, there is no HSM, should I hard code the key in my code? It seems that a hacker can read the key data by reverse engineering the software.

Answer 1

If your software needs to decrypt the data and you want to prevent even those with physical access from decrypting without your software, you are basically out of luck. It is impossible to achieve purely in software, since even if a good white-box algorithm existed, an attacker could copy it into their software and be able to decrypt (without directly knowing the key, but who cares).

However, if you are willing to ignore those attacks and only protect the data against those who do not have access to the exact device and its software, you should use device specific keys, not hardcoded ones. That way even if an attacker would extract the key from their device, they would not be able to use that to attack other devices.

Answer 2

What you are looking for is called white-box cryptography.

In short white-box crypto aims to make an implementation of a cypher (for example AES) in such a way that it is impossible for an attacker to extract the key, even if the attacker (the user of the computer) has access to the source code and a debugger.

Up till now all academic white-box implementations have been broken, so it's not really possible to do this, but at least it has become significantly harder for the attacker to do so.

For more information on white box crypto, visit the site of Brecht Wyseur: http://www.whiteboxcrypto.com/, or read the article by James Muir: https://scholar.google.nl/scholar?q=A%20Tutorial%20on%20White-box%20AES (for the technical details of the white-box aes implementation).

Edit: I read in your comment that you need both encrypt and decrypt. If you need to encrypt and decrypt with the same key, this will never be secure in the white-box context, because rather then to try and get the key, the attacker can just feed it's (encrypted) input in the decryptor and he has all he ever needs (and vice-versa). So you will need to have two keys (and thus two whiteboxes) in this case.

Answer 3

You cannot hide the algorithm, because the algorithm is the code - if your code has to be able to decode the data, then you are giving your attacker machine readable code.

The key has to be accessible, directly or indirectly, to the code.

And finally, if you decrypt the data, then an attacker can listen to the output of your decryption code, which means that no amount of obfustication or hiding will help you.

The only way to stop an attacker decrypting your data, is to make it so the code can't decrypt it without help - for example, by a trusted operator putting a key or partial key in at runtime, or if some of the data is controlled by a trusted (hardware) module. Of course, if the trusted hardware module then hands the data back to the operating system, then you're no better off.