Security Basics mailing list archives
Re: keeping data safe offline
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 10 Apr 2012 08:12:14 +0200
On 2012-04-09 Erki Männiste wrote:
I am developing a software that is going to be distributed to end-users on usb sticks. The application and the content will be stored on that device and the content will be stored in a one-file sqlCE database, it will be crypted by default and will be encrypted by the application on-the-fly. My client has made it clear, that he wants to keep end-users from copying the content and using it on any other device but that very stick. Now, due to the offline requirement this is impossible to achive because i have to store the encryption key somewhere in the code and users are able to access the data while in unencrypted state. Can anybody recommend me any mechanism that i could apply, to make it more difficult for users to copy the content?
No. If you want the database to be decrypted without the user having to provide a key or passphrase, you have to store the key somewhere. And of course the key can be read from that somewhere, because it must be unencrypted (lest it be unusable). Of course you could add an arbitrary number of indirections (i.e. encrypt the decryption key with another key, encrypt that key with yet another key, and so on). However, that won't get you around the problem that at the top of that chain you still do need a key in the clear, that can be read by an attacker (and then used to work his way back down the chain). To prevent users from copying content from the unencrypted database you'd have to encrypt every single data field separately, and have the application decrypt it when it's accessed. Which will obviously have a massive impact on DB performance, and still won't get you around the problem of the decryption key being retrieved from the application. In the end, you can't protect data from users who are supposed to work with those data. Tell your client that what he's asking for is a case of "wash me, but don't make me wet". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- keeping data safe offline Erki Männiste (Apr 09)
- Re: keeping data safe offline Ansgar Wiechers (Apr 10)
- Re: keeping data safe offline Stephanus J Alex Taidri (Apr 10)
- Re: keeping data safe offline Сергей Мурылев (Apr 10)
- Re: keeping data safe offline Andre Silaghi (Apr 10)
- Re: keeping data safe offline AK (Apr 12)
- RE: keeping data safe offline David Gillett (Apr 16)