Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

data encryption advice needed

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
SharpCoderMP - 25 Jan 2006 00:44 GMT
hi,

i need to implement some data encription in my app. the trick is that i
need the app to be able to decrypt but not encrypt that data. this is
needed to make sure that data the app needs, comes from the trusted
source. the app cannot be able to reproduce encription.

can someone point me into the right direction?
Reply to this Message
Joe Kaplan (MVP - ADSI) - 25 Jan 2006 04:45 GMT
This is typically done with digital signatures.  The owner of the private
key signs the data with it.  Your client has the public key and can use that
to verify the signature, but cannot recreate it.

Typically, the public key will be wrapped in an X509 certificate.

Joe K.

> hi,
>
[quoted text clipped - 4 lines]
>
> can someone point me into the right direction?
Reply to this Message
SharpCoderMP - 25 Jan 2006 12:11 GMT
> This is typically done with digital signatures.  The owner of the private
> key signs the data with it.  Your client has the public key and can use that
> to verify the signature, but cannot recreate it.

hi joe,

thakns for advice. you're right. just before posting my question i was
thinking of using RSA - but silly me :) the private key can be used for
encryption and decryption so this sollution wasn't good. anyone who
would somehow extract my priate key from the app would be able to
provide it with the fake data. the digital signature looks more promissing.

but there is still one problem - if someone will hack my app and remove
digital signature check from it, he will be able to provide my app with
fake data. unfortunately this is probably something that can't be
eliminated especially with .net :/

the data flow scenario in my application is more or less like this:
1. the main app is fed with data from another "behind the scene secure" app.
2. the main app consumes this data and generates new one based on the
oryginal.
3. new data is sent to the "behind the scene" app for futher processing

the ideal scenario would be that the main app would be somehow able to
prove that the data it sends back to the "behind the scene" app is valid
and is based on the oryginal data provided by the "behind the scene" app.
i realise that this is very complicated problem but maybe you or someone
else has some clues. the data i'm talking about is nothing more but
object that is serialized to xml. in the first step the object is just a
template for some actions performed by the main app in the second step.
so in the third step the data that is sent back to the "behind the
scene" app contains parts of the oryginal data. the main problem is that
the collection of these templates can be very large and complicated so
comparing them with final data would ba a pain in the a... that's why i
though of the encryption, signatures and proofs.

sorry for the long post :)
here's a word of explanation: the "behind the scene" app is called that
because it is intended to run only in secure enviroment under my full
controll, so noone will be able to access it and mess with it's code.

> Typically, the public key will be wrapped in an X509 certificate.
>
[quoted text clipped - 8 lines]
>>
>>can someone point me into the right direction?
Reply to this Message
Joe Kaplan (MVP - ADSI) - 25 Jan 2006 15:06 GMT
If the "behind the scenes" app is on a separate server, then perhaps you can
secure the communications betweeen them with some authentication and
authorization?  Perhaps you could use web services with WSE SSL or
something?  There are a variety of ways to ensure that your data isn't
tampered with.

You are correct that it is difficult to prevent a hacker from doing stuff to
your code if you install on his system.  He can always run a debugger and
change the operation of your program at runtime.

Joe K.

>> This is typically done with digital signatures.  The owner of the private
>> key signs the data with it.  Your client has the public key and can use
[quoted text clipped - 52 lines]
>>>
>>>can someone point me into the right direction?
Reply to this Message
SharpCoderMP - 25 Jan 2006 15:55 GMT
> If the "behind the scenes" app is on a separate server, then perhaps you can
> secure the communications betweeen them with some authentication and
> authorization?  Perhaps you could use web services with WSE SSL or
> something?  There are a variety of ways to ensure that your data isn't
> tampered with.
unfotunately this is not possible, because the templates i mentioned
earlier, will be stored on the target machine. and there it can be
tempered with. i know that i can securly transfer it between the main
app nad the "behind the scenes" one. the problem is that this data in
template and final form will be stored on the machine that runs main app
and thus it will not be safe. so the only thing that came to my mind was
to somehow prove at the end that the final data was generated from valid
template that came from trusted source.

hah, now when i write and think about it i might have found a sollution.
if the template data is just an object serialized into the xml file,
then maybe i could associate with it some hash (ordinal md5 generated
for part of the xml template file should do it). then when the final
data will arrive back to the "behind the scenes" app i could check if
the apropriate part of it generates correct hash that is the same as one
stored with the templates collection on the "behind the scenes" machine.
this is theoretically possible because i am able to exctract the
template from the final data. this is tricky, but possible. if asymetric
encryption and signing cannot help here this looks like the only
reasonable sollution. unfortunately it forces me to store lots of
aditional data on the "behind the scenes" machine.

what do you think of this sollution?

> You are correct that it is difficult to prevent a hacker from doing stuff to
> your code if you install on his system.  He can always run a debugger and
[quoted text clipped - 58 lines]
>>>>
>>>>can someone point me into the right direction?
Reply to this Message
Joe Kaplan (MVP - ADSI) - 25 Jan 2006 16:06 GMT
The hash would probably work.  If the templates are XML files, can you just
use XML digital signatures?

The idea would be that you would ensure that they are placed on the local
file system signed and would then verify the signatures before using them.
The signature is slightly stronger than the plain hash as you have some
guarantee that the hash then came from a specific source.

Remember too though that you can't stop a determined hacker once you install
code on his machine.

Joe K.

>> If the "behind the scenes" app is on a separate server, then perhaps you
>> can
[quoted text clipped - 90 lines]
>>>>>
>>>>>can someone point me into the right direction?
Reply to this Message
SharpCoderMP - 25 Jan 2006 16:32 GMT
> The hash would probably work.  If the templates are XML files, can you just
> use XML digital signatures?
i don't know :) haven't thought of it. probalby yes. i'll take a look at
the sdk and see which way is better for me. this way or another it looks
like there is quite a few lines of code i'll have to write to make this
work nice and smooth....

after quick glimpse at the sdk it looks like i'll have to store the key
*and* the signature on the "behind the scenes" machine and test parts of
the final data with it. sounds easy :P but needs some aditional coding
to extract template data from the final data.

> The idea would be that you would ensure that they are placed on the local
> file system signed and would then verify the signatures before using them.
[quoted text clipped - 101 lines]
>>>>>>
>>>>>>can someone point me into the right direction?
Reply to this Message
Joe Kaplan (MVP - ADSI) - 25 Jan 2006 17:28 GMT
That sounds basically right.  Good luck.  I hope you find a solution you
like.

Joe K.

> i don't know :) haven't thought of it. probalby yes. i'll take a look at
> the sdk and see which way is better for me. this way or another it looks
[quoted text clipped - 5 lines]
> the final data with it. sounds easy :P but needs some aditional coding
> to extract template data from the final data.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.