ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

External / dynamic keys

Author Message
eugenio



Joined: 05 Feb 2016
Posts: 15

PostPosted: Thu Apr 22, 2021 7:12 am    Post subject: External / dynamic keys Reply with quote

Hello,
is it possible to use external / dynamic keys when you encode through the command line interface? I haven't found any information in the manual.

I also have another, more general question about external / dynamic keys: according to the introduction in chapter 4 the idea is to avoid having the encryption key in the encrypted file itself. I understand that and external keys do exactly this. I don't get, however, how dynamic keys increase security: in this case the key is actually (at least in one of the option) IN the file itself.

Let's take your example:

Code:
// Using the value of a variable as the dynamic key.
// @ioncube.dk $x -> "58" RANDOM
function myfn($a)
{
 [Code body for myfn]
}
$x = 53;
$x += 5;
myfn($v); // First call to myfn – successful decoding depends
on the value of $x.


The key here is 58 and it's in the file, am I missing something? And in which case $x won't be 58? It will always be 58 if you run this code. I understand that a potential attacker, here, should run the code to try to get the key but I can't see why running the code should be problematic. Again, probably I am missing something.

Thanks!
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2801

PostPosted: Sun Apr 25, 2021 12:10 pm    Post subject: Reply with quote

Hi Eugenio

Dynamic keys is directed by source code comments as per your example, and external keys can be specified via the command line; the GUI launches the Encoder to encode, so all encoding operations that the GUI does can be achieved by the command line. Section 4.2 has details.

For security, Dynamic Keys can substantially overcome the weakness of decryption keys being stored in the encoded files themselves. In the early days, encoding was essentially bytecode compilation with some encoding of the bytecode. This is where most compiled solutions remain today and was very effective at the time, but after some years a Chinese group called the Blue Wind developed a decompiler for PHP bytecode, and although that wasn't an issue at the time, introducing new challenges to reverse engineering is important. Recognising that stored keys is a weakness, we set about thinking of ways to remove the need for having a decryption key stored as this can dramatically change the approaches needed for reverse engineering, and led to Dynamic or algorithmic keys.

The aim should be to write key generators where even if the source is available to a hacker, working out what the key will be is as challenging as possible. As an example, consider the difference between a key generator that returned 42 and one that used indirection and returned the value of $$p, where $p is a global. In parallel with conceiving of new security mechanisms we also think of ways to defeat them, and there are of course approaches that a reverse engineer could use in trying to unravel the mechanism, but there is a leap in effort and complexity and it's proven very effective. As it turns out, external keys has also been, and as they are easy to add we recommend always to use external keys too.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 15

PostPosted: Tue Apr 27, 2021 5:49 pm    Post subject: Reply with quote

Thanks liaison, after having read your post, everything is more clear.

I still have some doubts about dynamic keys though:

1) You mentioned in your example $$p, but the documentation says that variable variables are not allowed, am I missing something?

2) Let's say that I include in my program a .php file containing the most important functions and I want to encode the whole file instead of the individual functions. This should decrease a little bit security and increase a little bit performances, am I right? I am not sure, however, why I should comment also the first function of the file and about this aspect: can the dynamic key of the first function be totally different respect to the one I used for the script?

3) As far as I have understood, I cannot use dynamic keys on a script that does not contain any user defined functions, right? The only way is by prepending a script but this can be done only via .htaccess, php.ini or in general using webserver configurations. Can I do it via PHP code? For example would it work by setting auto_prepend_file via ini_set()?

Thanks!
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2801

PostPosted: Tue May 04, 2021 11:53 am    Post subject: Reply with quote

The idea would be to use var vars in a key generation function, where you can do anything you want.

The whole file dynamic key is for all code that isn't in a function, so you can cover your point 3. Having both a file level dynamic key and some for selected functions could be a good idea.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 15

PostPosted: Tue May 04, 2021 5:47 pm    Post subject: Reply with quote

liaison wrote:
The idea would be to use var vars in a key generation function, where you can do anything you want.


Oh, ok, I see.

liaison wrote:
The whole file dynamic key is for all code that isn't in a function, so you can cover your point 3. Having both a file level dynamic key and some for selected functions could be a good idea.


I still don't understand here, I think the manual explicitly says to add the comment also to the first function of the file, and that's not clear.

In my case, I was wondering if I can use dynamic keys for all the functions in a file (it's a functions file included in another, main, file) without having to add the comment to each single function.

Best,
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2801

PostPosted: Wed May 05, 2021 11:53 am    Post subject: Reply with quote

A key specification must be added for each function you want to have a dynamic key.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 15

PostPosted: Wed May 05, 2021 12:00 pm    Post subject: Reply with quote

Ok, thanks. Then I think the manual is not clear with the example I mentioned before.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum