Geek Answers Handbook

What technique can protect a secret from a fully trusted user?

I am programming a system using C #. My program generates a small message (a hash digest for the file) that I want to save on my hard drive, but I do not want the user to read it. I was about to encrypt this message, but someone suggested it was a BAD IDEA.

So, I'm looking for alternatives - how do you protect some of the secret information from a fully trusted user?

+6
security c #
source share
6 answers

Take a step back; you have a solution that basically does not work for your problem. Instead of trying to hammer it while it is not working, stop, step back and solve the real problem.

Security problems associated with real money are some of the most difficult problems to solve; bad people have a real financial motive for attacking your system. For these species, a multipurpose approach is usually best suited.

First write the threat model :

  • identify each resource that needs protection (your resources and your friendly client resources, for example, their personal financial data).
  • rate its value
  • evaluate its value to an attacker
  • Think about what vulnerabilities a resource has to attack.
  • characterize the threat - who is the attacker and what is their motivation?

Once you learn about resources, threats, and vulnerabilities, only then start thinking about mitigating these threats. Assign costs and effectiveness to each of the mitigations.

For example:

  • resource: my tv
  • Value to me: $ 400
  • value for the attacker: $ 40
  • vulnerability: unlocked bathroom window
  • threat: thieves or vandals use a window to access a TV

OK, now that I know what attacks are, I can start thinking about mitigation:

  • lock window
  • get an alarm system
  • dogs
  • the guards

Those that are in order of increasing costs. Ultimately, the cost of mitigation is greater than the loss of a resource, and there is no point in wasting money.

There are also ways to externalize mitigation costs:

  • threatens the attacker with charges - taxpayers pay for it
  • to insure against theft of television, reducing the cost of a successful attack against me.
  • etc.

Encrypting a file that contains user data on the user's computer is not a mitigation of any attack. Find out what attacks are and what actually mitigates them, including options such as siccing feds on attackers, and then implement a system that actually mitigates your vulnerabilities and eliminates threats.

Your suggested mitigation: give the key to the thief and ask the thief to block the window before he tries to steal the TV. This does not reduce vulnerability. No suggestion related to the transfer of a key to a thief is to mitigate the vulnerability of a window with an unlocked window, so do not try to find it.

For more “software” oriented examples of threat modeling, see:

http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

http://www.owasp.org/index.php/Threat_Risk_Modeling

http://msdn.microsoft.com/en-us/library/aa302419.aspx

And so on; You can find many articles on the Internet about how we do threat modeling here at Microsoft.

Finally:

Connect to a security specialist.

Seriously, you bite off one of the most difficult tasks in software implementation, where the consequences of small errors have serious financial consequences. Spend your budget on the implementation of a first-class expert consultant who has experience in this field and can help you find ready-made and custom-made parts necessary for a safe solution. Scrolling through your own security system may seem fun and cheap; this is not true. Leave these things to people who have spent their careers exploring this space.

+29
source share

My program generates a small message (a hash file for the file) that I want to save on my hard drive, but I do not want the user to read it.

The user has full control over his car. If your software can read it, the user can take a little effort.

Instead of fighting a losing battle against your customers, it might be better to accept that "this is a user machine, not mine" and not worry about something excessive - just Base64 encodes it or something like that.

Why do you still need the user to not read the hash file?

+7
source share

This is a DRM problem, it cannot be performed. You can make this very inconvenient and disappointing, coming up with new and new ways of obfuscating data, but it is a fundamentally wrong idea to think that you can protect data when encryption and decryption machines are located in the “enemy” system and are fully controlled.

+6
source share

Not. It's impossible. If a person has physical / full access to the machine, you cannot protect the hard drive from it without encryption.

The only way I could do this is to save this message on a remote server, which the user does not have access to.

+2
source share

Make sure the text cannot be used without, say, the other half of the text, which never comes close to the user's computer.

In other words: distract the meaning from the secret, so that it will no longer be a secret, and the client will have no interest in acquiring it.

If you cannot, you may have made a mistake while developing your application and are trying to find a cheap way to get around it. But there is a free lunch . Again, security in this case is another example of balancing usability, implementation difficulties, and the value of secrecy.

If you still want to do this, do not rely on one technique. Use a lot: encrypt data on the disk using a public key, which is stored in memory and removed from the repository; do not save the data as a "cleartext" in memory, but block encryption; shuffle your memory often; obfuscation of use, patterns, delays, etc.

Take a look at how Skype is implemented: through code obfuscation, debugging detection (when the debugger is running on an executable file, the execution path changes) and deleting the actual implementation value. Even if you understand how Skype works, this is already standard; and if you want to redesign it to make your software “work with skype”, well, they will never let you auth use your brand.

+2
source share

In one of the comments to another answer, you wrote:

This is an attempt to make a certain log protection against unauthorized access to files.

If this is true, then perhaps you should use a different approach and move the log file to a place where the user is not fully trusted (i.e.: some other system).

Otherwise, you cannot guarantee the security of the file (as others have indicated).

+2
source share

More articles:


All Articles