Suppose I want to develop a IM application, and I want to ensure my users that I will not obtain their conversation information, that is, prove by a algorithm that I don't know about something.
How can I do that? Is their something similar to public-key method to do that?
I do not believe this is a solvable problem as long as the application you provide is a black box to the user. The way to achieve what you want is to provide the source code to your client so that the user can inspect it and potentially compile it themselves. For example, consider Tarsnap, which is targeting exactly this kind of problem (they provide online backups "for the truly paranoid"). The Tarsnap client is only provided in source form.
You can provide a similar (but weaker) assurance by publishing your protocol specification without publishing the source code to your implementation. This allows the user to inspect the protocol, determine whether it sends data that could be read in transit, and potentially implement their own client to protect themselves from any side-channels that might exist in your client.
The overarching rule is that cryptography is best done in public. Each piece of your system that is secret is a piece that the user must implicitly trust you on and cannot prove your behavior. The fewer secrets you enforce, the more trustworthy you can be.
Ultimately, however, I do not believe it is possible to prove that Eve does not know something. It is only possible to prove that Eve cannot discover something given that she stays within some set of rules.
As a quick proof by counter-example:
Alice sends message M to Bob using a provably-secure transform E(K,M).
Eve intercepts E(K,M), but since it is provably-secure, and she does not have K, she cannot decrypt it.
Eve begins dating Bob and convinces him to tell her K.
Eve performs D(K,E(K,M)) and recovers M.
Therefore, E(K,M) does not prove blindness over all possible attacks, despite being provably-secure over traditional attacks.
Related
I have been asked by a company to find the cause of missing transactions via a web-service, On reverse engineering the dll's (been given permission). I have found SOAP references in 9 scripts, and logic for a checking for data and switch, with different login/password calls.
Suffice to say: suspicious.
Unfortunately this is all circumstantial without hard proof of a traffic redirect. So with that in mind, is there anyway to detect the different SQL interactions or the SOAP client commands being sent (Expected at least twice a day).
Many thanks in advance.If this is not the place for such a question; I appreciate recommendations.
I am writing an application in vb.net, to send data to an API in a cloud service hosted in Azure. Is there any benefit / harm in wrapping the data up in a class before sending it, as opposed to parameterised data. is the data still vulnerable to being stolen in transit. How could I protect that data?
It makes no difference whether you collect your data into a single class or send each bit as a single parameter over the wire your relevant information can still be extracted very easily.
If you are sending sensitive data over the internet you need to protect it in someway. You should at the very least make sure that you are connecting over an SSL connection. So you would need to purchase a certificate for your domain name and add it to Azure.
You also want to make sure that the API is using authentication, ideally written by someone who understands the implications of authentication design decisions (it is often surprisingly counter-intuitive)
If the data is particularly sensitive you should encrypt it with your own key before sending it and let the receiving server decrypt and process it if needs be, or if possible only store the encrypted data and decrypt on the client when you receive it again.
The most important thing though is to spend time researching, computer security is a big topic, having unsecured data can become an easy target for hackers and those looking to ransom your data.
An exceptionally good place to start is https://security.stackexchange.com/ there are some hugely knowledgable people there. (but you probably want to understand a little of what you're talking about before asking questions - inf security people aren't known for their helpful natures ;) )
My friend proved it to me by taking the WP7 papertoss games and getting the .xap from it and then posting his own high scores.
Is there any fool proof way to stop this ? (I think xbox live integration makes hacking the high scores impossible but that is for special people )
It depends first of all how the high-scores are sent. I can only assume that what your friend did was take the XAP and modify some internal file or track the HTTP web requests that are used to send the scores to the centralized locations. I have two recommendations for you.
Encrypt. Don't keep scores in plaintext. There are plenty of strong encryption methods that you can take advantage of that will render the scoreboard useless unless the person who tries to read it has the key.
If you send the scores to a web service, never send it in plaintext (once again). From my own experience I can say that web requests can be easily altered and sniffed. So if I see that the app sends http://yourservice/sendscore?user=Den&score=500, I might as well invoke http://yourservice/sendscore?user=Den&score=99999999. Same applies if you plan on using headers.
Be aware, that using the Xbox Live services is only possible if you are a registered Xbox developer, and this is not easy to get.
First of all - is a high score list really that critical that you're worried about an edge case (the common person isn't going to have a dev unlocked phone with ability to modify the *.xap file)?
Second of all, no. There's no fool-proof way to protect your high score list if it is being stored locally on the device. The only way to protect the high score list would be to store it in the cloud via a web service or some other mechanism.
It is tricky to have a secure high score system since users can always modify information on the client side. It's impossible to prevent a determined hacker from looking at your code, but you can make it more difficult by obfuscating your code. PreEmptive's Dotfuscator is currently free for Windows Phone 7 developers and also has analytics built in if you want to use it. This will obfuscate your code and make it harder to read your code. Although it's not fool proof, it's an extra hurdle for hackers to overcome.
The obfuscation would make it harder to find the encryption key you're using to authenticate the high score.
I have developed a small software. I want to provide and run it commercially only. I want it to be run in the machines who have purchased it from me.
If someone copies it from my clients computer and runs it in next computer, I would like to stop functioning/running the software.
What can be the ways to prevent the piracy of my software?
Adaption of one of my previous answers:
There are a few ways to "activate" copied software to try to stop casual copying of the application.
In the most simplistic case, a registration code ("CD key") purchased from you, possibly via your website, and it is sent to the user who enters it into the program or installer. The whole process can basically be done offline; the program itself locally determines that the code is valid or invalid.
This is nice and easy, but it extremely vulnerable to key sharing - since there's no "phoning home" then the application cannot know that thousands of different people are all using the same key that they got off the internet or a serial library or their friend. It's also reasonably easy to make "keygens" which generate valid-seeming keys that were never actually issued by the developers.
Then we get into online registration. You still have some kind of code, but the program will phone home back to the server to determine whether the code is valid and usually unique. This stops basic key sharing, because the company knows if too many people from all over the world are all using the same key. Perhaps there is some kind of identification involved using MAC address, too, with infinite registrations allowed on the same hardware but maybe a limited number on what appears to be a different computer.
This is still pretty easy and stops simple key sharing. People will actually have to get into cracking the software or faking the server response to get past it.
Sometimes the program itself is partially/mostly encrypted and is only decrypted by the online registration step. Depending on how well this is obfuscated then it can be pretty difficult and time consuming to crack. Bioshock was a high-profile example of this - debuting with a brand new encryption/copy protection scheme that took around two weeks from release to be broken.
Finally, a particularly guarded application might stay in constant contact with the server, refusing to work at all if the connection is severed.
If you know for sure that all your users will all have reliable internet connections then it can be considered quite a strong way to protect the app, at the cost of privacy and some user distrust of the spyware.
In this case to get around the activation they would need to fake the server itself. Steam emulators and private WoW servers are an example of this.
And in the end, nothing is uncrackable.
In a nutshell: you can't.
Even very sofisticated systems (e.g. dongle keys) can be circumvented.
I guess your best call is to give a code to your customers and have an online check for that code, so that it cannot be used twice.
Of course, that can be circumvented too but...
As nico said you really can't.
A simple solution might be to generate (registration/activation) codes that are based on hardware or software installed on the particular computer - eg video card serial id or c:/windows creation time.
I have one idea may be it works.
What we can do, we will make an encorrupted database field and that field will be empty for the first time as soon as i install my software to some machine it will read the Mac Address + Mother Board Serial + Processor ID and make an encorrupted value with the combination of these three and write in to that field which i left empty for the first time use.
After that every time my application will read these three values and recreate the encrupptted value in the same manner and compare with the value of that database field. If the value of the database field and the value of the regenerated encrroupted field is equal, that means the computer is same other wise it is installed on some other machine in this case you delete all the code and can make the system unstable to punish the person also :) ...
Please let me know about your opinion about this idea.
The best way is to use some sort of hardware-locking in which your license code contains encrypted info about the machine on which it will run. Your software will then check for this info and match it with the current computer and if the match is successful, the license is deemed valid.
Sure, any scheme can be cracked by someone on the face of the planet, but that does not mean you shouldn't use a protection scheme.
If you are looking for a ready-made scheme for this, have a look at CryptoLicensing.
Companies such as ours (Wibu-Systems), Safe-Net, and Flexera (expensive) offer dongle-free solutions as well as ones based on hardware. But _simon was right in that a dongle is the only iron-clad protection. All software-based systems can be cracked; it's just that some are more difficult than others. Really good hardware-based solutions are effectively uncrackable. No one has yet cracked the CodeMeter stick unless the implementation was flawed.
I have a client who is interested in adding in electronic signature support to a long (40 question) seller application form. I'm a little stumped on whether there is an existing standard or process that's out there that folks in the financial world would expect to see?
I could certainly add in a system where we generate a bunch of text based on their responses, have the applicant sign it with their private key and upload a public key- but that seems like a lot to ask of people. Do non-nerds even have PGP installed these days?
Is there a standard approach to this out there? Anyone work in the financial world that's done this and had it work well?
We use Alphatrust's e-Sign Software.
What purpose is the signature trying to fill? Are you trying to verify that the form actually came from a specific seller? (If so, you would have to know their public key ahead of time.) Are you trying to hold the seller accountable for their answers at a later date? (In that case, you might need some kind of third-party involved.)
Sometimes people ask for electronic signatures just because they sound neat.
If these forms are meant to be shared throught to a general public you'll need to know (and can validate, that's the hardest part) all the producers of these amount of certificates people could use to sign these forms, and it's almost impossible.
With closed environments (like functionaries, doctors...) where all the users are suposed to hold a certificate (with a pre-known CA you trust) and you should be sure the form is sended by someone trusted (non repudation, integrity...) it's a better scenario to sign a form, otherwise I do not recomend you to use signed forms to achieve your goal.