Security Question

[Dick, from the internet]

@BigChimp
  please don't give up now!!  i usually sit down with my morning coffee and go to dilbert.com for my morning laugh - but this thread has moved to #1 position.  I think you may be making headway!

mind reading! LOL <wipes tear from eye>

geno.

[BigChimp]

@Geno: glad I could make somebody's day And you're right: either laugh or cry

[ezlage]

Elmug, my friend.

My application is portable. Runs at Usb Disks, offline and without a DBMS.
All data is stored in DBF files, that natively doesn't support any security.

The DBF files are encoded and stored at disk.
Before full loading, the application needs to decode all DBFs, but just in memory, for security reasons.

Finally, I just want know: how to store my cryptographic keys securely?
Someone knows?
TStrHolder is enough?

[Shebuka]

I think that the only way to go for you is to make your users remember a username/password that is used to access a local robust database in which you store encryption keys, also encrypted by seeding with username/password or some other encryption strategy. This way if a cracker doesn't know username/password it must first crack robust database security, then guess what is your seed to decrypt encryption keys... But if cracker knows username/password and can attach with a debugger to you application, then all this is air.

As workflow on first launch user is queried for Username/Password and after validating them as valid combination of accepted symbols, you will create by code a database user account and associate to it a record with randomly generated and then encrypted encryption key.

Financial data are on another database that is encrypted with this new randomly generated encryption key. But this create some problem when there are some default data in this database on first launch.

[Elmug]

Elmug, my friend.

My application is portable. Runs at Usb Disks, offline and without a DBMS.
All data is stored in DBF files, that natively doesn't support any security.

The DBF files are encoded and stored at disk.
Before full loading, the application needs to decode all DBFs, but just in memory, for security reasons.

Finally, I just want know: how to store my cryptographic keys securely?
Someone knows?
TStrHolder is enough?

Hi ezlage,

if your datafiles are encrypted, and you work them in memory only, make sure that you save them only after they are encrypted again.

If you do happen to save them while un-encrypted, you overwrite them again, but encrypted.

Or if it merits copy them to external device like usb. Then erase-wipe the files that were stored unencrypted with utilities that replace the data with blanks. Then open  the version saved to the external usb, to memory, encrypt it and save it while encrypted to wherever you need to.

If the data is not high value or really critical, overwriting with the encrypted file can be sufficient.

Now, to store passwords, in an encrypted file, the application would use an encoding algorithm, that you may find available, or invent you own.

The algorithm requests a password to do the encryption. The password is never built-in into the application, nor is ever a part of the algorithm.

The algorithm produces from the same plain text, different results for different passwords. Only with the same password, does the decryption give back the original plain text. The application creates a file with the resultant encryption. The decrypting algorithm is the opposite of the original encrypting algorithm, and decrypts the file, using momentarily a password supplied, which it clears from the variable that holds it immediately once used.

Note that decrypting algorithms have no way of knowing if the provided password is the correct one or not. They just do the decryption based on whatever password is supplied. The same is true for encrypting algorithms. They just encrypt the plain text using whatever password (the controlling parameter) is supplied. They work like a painter painting a wall. The paint color you give is the equivalent of the password.

You can also do encryption of anything, including COMPLETE DESK TOP databases using 7-Zip and use the option to use a password. This one works at the level of encrypting a single file or even folders and sub-folders. The benefit also, is that the size is much smaller than the original files, as far as storage, because it compresses data. If you are interested in mobility, maybe that can sort things out for you. Keep in kind that compressing data adds difficulty to eavesdroppers, so that on top of being encrypted is hard to beat.

I use that one often. If you are not familiar with it, you ought to download it and use it. It is free and works in Windows, Linux, and also in the Mac.

If any thing is not clear, I'd try to help out.

[goodname]

Elmug you seam to be very concerned about terminology. In your response to ezlage you are using the term encryption password. I think the term your looking for is encryption key.

ezlage to answer your question about making the key hard to find I would say that TStrHolder is a good step. You could of course add your own custom complex logic to make it that much harder.

[ezlage]

Thank all of you!

When I finish the implementations, I will make a challenge offering a reward to anyone who can break the security of my application.

The forum allows this?

Sorry by my poor english.
Regards.

[KpjComp]

Elmug you seam to be very concerned about terminology. In your response to ezlage you are using the term encryption password. I think the term your looking for is encryption key.

I think Elmug's terminology is spot on here, because the point he is trying to make is the password is the encryption key.  IOW: The best way to hide the key, is to not store the key in the first place.

I think there are two types of security been mentioned here,
1.  Protecting the EXE from reverse engineering, (hacking)
2.  Protecting confidential data.

Number 1, is very hard to defend against.  (Reverse Engineering, Debug/Tracing) etc.
Number 2, is actually pretty easy to defend against, store you data encrypted with the password, reverse engineering won't help here, unless you have the password in the first place..

[goodname]

Standard terminology as I understand it.
Encryption algorithm + key + Plain data  -> Encrypted data
Decryption algorithm + key + Encrypted data -> Plain data
User name + password -> access(in this case to the key)

@KpjComp The question asked was how to protect the key required to decrypt the application data. That question was not answered. Hiding the key behind a password as your suggesting just means that the password has to be protected since a valid password is required by the application to get the key. The question just becomes how do you protect the password.

@Geno why am I still answering these questions. I should stop and do something constructive.

[Dick, from the internet]

@goodname:
You just keep rolling right along there buddy, you're doing all the good!   I still get a chuckle - (almost) everyone says the same thing with different wording, but since I have not offered a viable solution, I will refrain from pointing a finger 

Personally, I feel there really is no way to guarantee complete security in this particular situation (automated encryption/decryption through the application), as long as there are those who want to gain access to your information.  All you can hope to do is discourage the script kiddies' and/or slow down the more motivated hackers.

But I think this thread provides good justification for the new Security category suggested by ezlage, because there are the nefarious ones waiting to exploit  every weakness in y our applications.

regards,
   geno

[KpjComp]

User name + password -> access(in this case to the key)

No, like has been pointed out to you a few times now,  that's not always how it is.
@Elmug gave you a good example, Password protected Zip files, that work pretty well, and the only way to crack them is brute force / dictionary attack  (debugging won't help).  The only real weakness, is the password itself.  Also why are you even talking about user-name's that's another type of security.

The question asked was

In fact if you did have a key you wanted protected because you couldn't directly use the password as the key, a good solution is to encrypt this key with the password, it just becomes another level were the password is used as the encryption key.   There you go, that's the Op's question answered.

[Shebuka]

... That question was not answered...

I'v proposed a solution to how protect the encryption key and how to not store it inside binary.

http://www.lazarus.freepascal.org/index.php/topic,17651.msg98026.html#msg98026

You can replace "secure database" with "password protected .zip" mentioned above

[KpjComp]

Here is a challenge for everyone I've knocked up.

The attached project has a popular song from the 80's encoded, to get at this information you will need the correct password.  The challenge is to see if anybody can work out the song/password.

In terms of cracking, this challenge doesn't require any dissembler, You have full access to the source code for decryption, you can even see what encryption method was used etc.  So in theory should even be easer than cracking at the EXE level.

Now this site is made up of a number of good programmers, so if this cannot be cracked there is a good chance that using this technique is pretty secure.

This technique is basically what @Elmug & @Shebuka have been trying  to explain, and is what I'd say is a good technique for @ezlage to use.

[goodname]

@Shebuka: You did give a good answer.

@KpjComp: The user name can be optional. Most of this thread has been discussing database access. The following basic logic still applies.

an application needs valid password, encryption keys, ... to login, communicate, ... This information can come from a user or be found by the binary application. The more difficult it is for a cracker/reverse-engineer to discover this valid data the more secure the program is.

The case that many have been having trouble understanding is when there is no user name or password, it just goes straight to access. This can happen when it is assumed that if your able to run the application then you automatically have rights to the data. Private key communication can be a similar situation. If you can run the program then you automatically have rights to communicate with the server or client application.

[Elmug]

This reminds me of an old computer joke.
Me: I just got this great new dvd player for my computer.
Friend: Great lets try it.
Me: Have to install the driver, but having problems doing that.
Friend: What is the problem?
Me: The driver is on a dvd disk and I can't read it until I install the driver.

I know that all systems come with basic read capability but the conflicting logic make me laugh.

EDIT: In this case it would be.
The password is in the database and I can't open the database until I get the password.

It is normal business/academic/government practice that passwords are stored in the database.

Your comparison joke with the Cd is silly.

Each user is given an initial password, by an administrator, which the user him/herself can then change.

Didn't you know that?