Preventing users from copying data is a hard problem -- one that's been
only poorly addressed before, by enterprises able to devote a lot more
resources to the problem than you can. So I ask myself if the need can be
met in a more focused and less general way.
And I believe it can: Since the data will be stored encrypted, what you
need is for decryption of the data to fail when it is not on the original
stick. That's a bit more manageable.
Short of actually identifying the specific device, it might be sufficient
to detect some detail that is easily imposed on the device during its
original write, but unlikely to be reproduced when it is copied. For
instance, one might create a temporary file on the device, write the desired
content, and then delete the temporary. A simple-minded copy won't bother
to include the deleted temporary file, so content files will be allocated
differently on the copied device. And maybe the space originally allocated
to the temporary -- now marked free -- actually contains a decryption
key.....

I'm sure fancier solutions exist, but this might be enough, at least for
version 1 -- when it sells like hotcakes, you can invest some of the
proceeds in fancier protection for v. 2.

David Gillett

-----Original Message-----
From: Erki Männiste [mailto:Erki.Manniste (at) webmedia (dot) ee [email concealed]]
Sent: Monday, April 09, 2012 01:41
To: security-basics (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]
Subject: keeping data safe offline

I am developing a software that is going to be distributed to end-users on
usb sticks. The application and the content will be stored on that device
and the content will be stored in a one-file sqlCE database, it will be
crypted by default and will be encrypted by the application on-the-fly.
My client has made it clear, that he wants to keep end-users from copying
the content and using it on any other device but that very stick. Now, due
to the offline requirement this is impossible to achive because i have to
store the encryption key somewhere in the code and users are able to access
the data while in unencrypted state.
Can anybody recommend me any mechanism that i could apply, to make it more
difficult for users to copy the content?

ERKI

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate. We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727
d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]