Re: encrypt data in registry
- From: Joseph M. Newcomer <newcomer@xxxxxxxxxxxx>
- Date: Mon, 02 Jul 2007 10:44:13 -0400
This is a nasty problem, because encrypting the data won't actually protect it from other
than casual inspection; for example, if I knew you had an encrypted password, it would
take me perhaps 20 minutes to get the plaintext (run the app under a debugger, intercept
the RegQueryValueEx call, and single-step through the decode process). Alternatively, I
would intercept the password when it was first typed in, which would probably take me five
minutes to code up.
Rights will not protect the key (they are not that complicated, but they don't actually
protect information, as you observe), because if I'm running as the logged-in user, I
would be able to red the plaintext, which means that any malware that might download would
be able to read it anyway.
You would need a challenge-response system to ensure that you had some hope of security,
and even that can be compromised but it is much harder.
You might investigate the crpyto API (look for CryptoAPI in the MSDN), which will only
give you slightly improved security over plaintext, because of the possibility of a
plaintext intercept.
joe
On Sun, 01 Jul 2007 21:54:23 -0700, Frank Cusack <fcusack@xxxxxxxxxxx> wrote:
Sorry, I realize this is not an MFC question but hopefully you willJoseph M. Newcomer [MVP]
tolerate it.
I would like to encrypt some data in the registry. At least I think
I'd like to do that. :-)
I'm storing a secret key. I don't want to depend on access rights
because, well they seem complicated and also I don't want a registry
backup to expose the key.
I want to avoid storing a separate key, used to encrypt the registry
data, because that seems obviously not helpful. That key would
necessarily have to be on the machine and therefore doesn't offer a
lot of protection. Still, that might be ok if it were my only choice.
It's not ok for the user to have to type a password (at app startup)
to unlock the registry data.
So, I thought the ideal would be using the user's password. Is there
some function to either get access to this (or the MD4 of it,
whatever), or to have the system apply the user's password to encrypt
my data? With this idea, I don't actually NEED access to the user's
password, just access to some service that uses the user's password.
The problem with this is that if the user changes their password, the
registry data is now bad. Even if there is a way for my app to be
signalled on password changes, what if my app isn't running at the
time?
So, any ideas? It'd be nice to have a service like the Mac OS X
keychain.
-frank
email: newcomer@xxxxxxxxxxxx
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
.
- Follow-Ups:
- Re: encrypt data in registry
- From: Frank Cusack
- Re: encrypt data in registry
- References:
- encrypt data in registry
- From: Frank Cusack
- encrypt data in registry
- Prev by Date: Re: Auto Resize Dialog
- Next by Date: Re: WaitForSingleObject() will not deadlock
- Previous by thread: Re: encrypt data in registry
- Next by thread: Re: encrypt data in registry
- Index(es):
Relevant Pages
|
