Re: keeping data safe offline

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2012-04-09 Erki Männiste wrote:
> I am developing a software that is going to be distributed to
> end-users on usb sticks. The application and the content will be
> stored on that device and the content will be stored in a one-file
> sqlCE database, it will be crypted by default and will be encrypted by
> the application on-the-fly.
> My client has made it clear, that he wants to keep end-users from
> copying the content and using it on any other device but that very
> stick. Now, due to the offline requirement this is impossible to
> achive because i have to store the encryption key somewhere in the
> code and users are able to access the data while in unencrypted state. 
> Can anybody recommend me any mechanism that i could apply, to make it
> more difficult for users to copy the content? 

No. If you want the database to be decrypted without the user having to
provide a key or passphrase, you have to store the key somewhere. And of
course the key can be read from that somewhere, because it must be
unencrypted (lest it be unusable).

Of course you could add an arbitrary number of indirections (i.e.
encrypt the decryption key with another key, encrypt that key with yet
another key, and so on). However, that won't get you around the problem
that at the top of that chain you still do need a key in the clear, that
can be read by an attacker (and then used to work his way back down the
chain).

To prevent users from copying content from the unencrypted database
you'd have to encrypt every single data field separately, and have the
application decrypt it when it's accessed. Which will obviously have a
massive impact on DB performance, and still won't get you around the
problem of the decryption key being retrieved from the application.

In the end, you can't protect data from users who are supposed to work
with those data. Tell your client that what he's asking for is a case of
"wash me, but don't make me wet".

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------