Re: data encryption advice needed
- From: SharpCoderMP <csharp_mp@xxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jan 2006 16:55:44 +0100
Joe Kaplan (MVP - ADSI) wrote:
> If the "behind the scenes" app is on a separate server, then perhaps you can
> secure the communications betweeen them with some authentication and
> authorization? Perhaps you could use web services with WSE SSL or
> something? There are a variety of ways to ensure that your data isn't
> tampered with.
unfotunately this is not possible, because the templates i mentioned
earlier, will be stored on the target machine. and there it can be
tempered with. i know that i can securly transfer it between the main
app nad the "behind the scenes" one. the problem is that this data in
template and final form will be stored on the machine that runs main app
and thus it will not be safe. so the only thing that came to my mind was
to somehow prove at the end that the final data was generated from valid
template that came from trusted source.
hah, now when i write and think about it i might have found a sollution.
if the template data is just an object serialized into the xml file,
then maybe i could associate with it some hash (ordinal md5 generated
for part of the xml template file should do it). then when the final
data will arrive back to the "behind the scenes" app i could check if
the apropriate part of it generates correct hash that is the same as one
stored with the templates collection on the "behind the scenes" machine.
this is theoretically possible because i am able to exctract the
template from the final data. this is tricky, but possible. if asymetric
encryption and signing cannot help here this looks like the only
reasonable sollution. unfortunately it forces me to store lots of
aditional data on the "behind the scenes" machine.
what do you think of this sollution?
>
> You are correct that it is difficult to prevent a hacker from doing stuff to
> your code if you install on his system. He can always run a debugger and
> change the operation of your program at runtime.
>
> Joe K.
>
> "SharpCoderMP" <csharp_mp@xxxxxxxxxxxxxxxx> wrote in message
> news:%23NFQIiaIGHA.1288@xxxxxxxxxxxxxxxxxxxxxxx
>
>>Joe Kaplan (MVP - ADSI) wrote:
>>
>>>This is typically done with digital signatures. The owner of the private
>>>key signs the data with it. Your client has the public key and can use
>>>that
>>>to verify the signature, but cannot recreate it.
>>
>>hi joe,
>>
>>thakns for advice. you're right. just before posting my question i was
>>thinking of using RSA - but silly me :) the private key can be used for
>>encryption and decryption so this sollution wasn't good. anyone who
>>would somehow extract my priate key from the app would be able to
>>provide it with the fake data. the digital signature looks more
>>promissing.
>>
>>but there is still one problem - if someone will hack my app and remove
>>digital signature check from it, he will be able to provide my app with
>>fake data. unfortunately this is probably something that can't be
>>eliminated especially with .net :/
>>
>>the data flow scenario in my application is more or less like this:
>>1. the main app is fed with data from another "behind the scene secure"
>>app.
>>2. the main app consumes this data and generates new one based on the
>>oryginal.
>>3. new data is sent to the "behind the scene" app for futher processing
>>
>>the ideal scenario would be that the main app would be somehow able to
>>prove that the data it sends back to the "behind the scene" app is valid
>>and is based on the oryginal data provided by the "behind the scene" app.
>>i realise that this is very complicated problem but maybe you or someone
>>else has some clues. the data i'm talking about is nothing more but
>>object that is serialized to xml. in the first step the object is just a
>>template for some actions performed by the main app in the second step.
>>so in the third step the data that is sent back to the "behind the
>>scene" app contains parts of the oryginal data. the main problem is that
>>the collection of these templates can be very large and complicated so
>>comparing them with final data would ba a pain in the a... that's why i
>>though of the encryption, signatures and proofs.
>>
>>sorry for the long post :)
>>here's a word of explanation: the "behind the scene" app is called that
>>because it is intended to run only in secure enviroment under my full
>>controll, so noone will be able to access it and mess with it's code.
>>
>>
>>>Typically, the public key will be wrapped in an X509 certificate.
>>>
>>>Joe K.
>>>
>>>"SharpCoderMP" <csharp_mp@xxxxxxxxxxxxxxxx> wrote in message
>>>news:OQ38EiUIGHA.648@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>
>>>>hi,
>>>>
>>>>i need to implement some data encription in my app. the trick is that i
>>>>need the app to be able to decrypt but not encrypt that data. this is
>>>>needed to make sure that data the app needs, comes from the trusted
>>>>source. the app cannot be able to reproduce encription.
>>>>
>>>>can someone point me into the right direction?
>>>
>>>
>>>
>
>
.
- Follow-Ups:
- Re: data encryption advice needed
- From: Joe Kaplan \(MVP - ADSI\)
- Re: data encryption advice needed
- References:
- data encryption advice needed
- From: SharpCoderMP
- Re: data encryption advice needed
- From: Joe Kaplan \(MVP - ADSI\)
- Re: data encryption advice needed
- From: SharpCoderMP
- Re: data encryption advice needed
- From: Joe Kaplan \(MVP - ADSI\)
- data encryption advice needed
- Prev by Date: Sign assembly
- Next by Date: Re: data encryption advice needed
- Previous by thread: Re: data encryption advice needed
- Next by thread: Re: data encryption advice needed
- Index(es):
Relevant Pages
|
