Geek Answers Handbook

Archive encryption methods in C ++

I am writing a game in which there will be a lot of information (configuration, some content, etc.) inside some XML documents, as well as resource files. This will make it easier for me and others to edit the program without having to edit the actual C ++ files and without having to recompile.

However, as the program begins to grow, the number of files in the same directory as the program increases. So I thought about putting them in an archive file (since they are mostly text, this is great for compression).

My question is: will it be easier to compress all files and:

  • Set a password for it (for example, password protected ZIP), then specify the password when the program needs it.
  • Encrypt archive with Crypto ++ or similar
  • Change the file header as โ€œtemporaryโ€ encryption and correct the file headers during file download.

I think the numbers 1 and 2 are similar, but I could not find any information on whether zlib can handle password-protected archives.

Also note that I do not want the files in the archive to be โ€œextractedโ€ to the folder while using the program. It should only be in system memory.

+7
source share
3 answers

I think you misunderstand the possibilities generated by encryption.

While the program is running on an untrusted host, it is not possible to guarantee anything.

In the best case, you can make it difficult (encryption, obfuscation of the code) or extremely difficult (self-modifying code, detecting debugging / hooks) for someone to reverse engineer the code, but you cannot prevent cracking. And with the Internet, it will be available to everyone as soon as it is broken by one person.

The same is true so that a person does not interfere with the setting. Regardless of which method (CRC, Hash โ†’, by the way, encryption is not designed to prevent unauthorized access), you can still redesign it with sufficient time and money (and motivation).

The only way to guarantee a non-configurable configuration is to save it somewhere where you control (the server), sign it (asymmetrically) and check the program for signature. But even then, it would not hurt anyone to get out with a patch that allowed your program to work with a user-provided (unsigned) configuration file ...

And do you know the worst of it? People are likely to prefer the hacked version, as they are relieved of the burden of all these security measures, they will work faster ...

Note: yes, it is illegal, but let it be pragmatic ...

Note: in terms of motivation, the smarter you defend the program, the more attractive it is for hackers โ†’ it is like a brain teaser for them!

So how do you provide a secure service?

  • You need to trust the one who runs the program
  • You need to trust the one who stores the configuration

This can be done only if you offer a thin client and run everything on a server that you trust ... and even then you will have problems with the fact that no one will find doors on your server that you did not think about.

In your boots, I would just make sure I found a slight tampering with the setup (consider it hostile and make sure to check the data before running anything). After all, file corruption is equally likely, and if a damaged configuration file meant a corrupted client machine, it would pay hell :)

+2
source

If I had to choose one of three options, I would go for Crypto ++, since it fits perfectly with C ++ iostreams.

But: you

  • Serializing your data in XML
  • compression
  • encryption

everything in memory and back. I would really rethink this choice. Why not use, for example. SQLite to store all your data in a file database (SQLite does not require any external database process)?

Encryption can be added through various extensions ( SEE or SQLCipher ). It is safe, fast and completely transparent.

You do not get compression, but again, using SQLite instead of XML, this will not be a problem anyway (or so I think).

+1
source

Set a password for it (for example, protected by a ZIP password), then specify a password when the program needs it.

Firstly, you cannot do this unless you ask the user for a password. If this encryption key is stored in the code, do not bet on a specific reverse engineer to find it and decrypt the archive.

The only big rule: you cannot store encryption keys in your software, because if you do, what is the point of using encryption? I can find your key.

Now, to other points. zlib does not support encryption , and, as they note, PKZip in any case . I suspect that if you are so inclined to find it, you will probably find a zip / compression library capable of handling encryption. ( ZipArchive I believe that Zip + AES handles, but you have to pay for it).

But I, second Daniel, reply that it just displays on my screen. What for? Encryption / compression will not do you any good if the user does not provide any form of token (password, smart card, etc.) that is missing from your compiled binary or related files. Similarly, if you are not using a ton of disk space, why compress?

+1
source

More articles:


All Articles