Hi,
In one of my current projects, I am willing to create a secure zone such as
Acronis does in its application to store some confidential information only
accessible to the current machine user.
I know that .Net doesn't provide such functionalities therefore I went on
MSDN Library and also on Google to look for any solution with no result...
I first guessed that using WMI it could be doable (System.Management
namespace) but it only provides a way to retrieve information...
I then looked at interop but I couldn't find any library that could do the
job for me...
Now, comes my question, what would be your guess to handle this
functionality in my program...? I don't care if it has to be written in
unmanaged code as my current client users are binded to Windows
environments...
Thanks
Amadrias 11 8265
"Amadrias" <Am******@discussions.microsoft.com> wrote: Hi,
In one of my current projects, I am willing to create a secure zone such as Acronis does in its application to store some confidential information only accessible to the current machine user.
I know that .Net doesn't provide such functionalities therefore I went on MSDN Library and also on Google to look for any solution with no result...
Did you check out isolated storage?
"Isolated Storage" http://msdn.microsoft.com/library/de...tedStorage.asp
"Manage User Settings in Your .NET App with a Custom
Preferences API" http://msdn.microsoft.com/msdnmag/is...ompreferences/
this may also be of interest:
How To Create a DPAPI Library http://msdn.microsoft.com/library/de...secnetht07.asp
I first guessed that using WMI it could be doable (System.Management namespace) but it only provides a way to retrieve information...
I then looked at interop but I couldn't find any library that could do the job for me...
Now, comes my question, what would be your guess to handle this functionality in my program...? I don't care if it has to be written in unmanaged code as my current client users are binded to Windows environments...
Thanks
Amadrias
'Any fool can write code that a computer can understand.
Good programmers write code that humans can understand.'
Martin Fowler,
'Refactoring: improving the design of existing code', p.15
First thanks for this quick answer...
Unfortunatelly, this doesn't match my client requirements:
On the storage location, I knew that IsolatedStorage could provide me a good
place to store preferences data. Now, this doesn't provide a real secured
zone as if you are an administrator, you still can have access to the
isolated storage locations and manipulate the files which is something my
client doesn't want them to be able to do.
The unique way I can answer my client requirements is to programmatically
create a new partition on a hard drive or even in a removable storage and
then, make this partition not available to windows...
And I need a hand on this part...
Thanks,
Amadrias
"UAError" wrote: "Amadrias" <Am******@discussions.microsoft.com> wrote:
Hi,
In one of my current projects, I am willing to create a secure zone such as Acronis does in its application to store some confidential information only accessible to the current machine user.
I know that .Net doesn't provide such functionalities therefore I went on MSDN Library and also on Google to look for any solution with no result...
Did you check out isolated storage?
"Isolated Storage" http://msdn.microsoft.com/library/de...tedStorage.asp
"Manage User Settings in Your .NET App with a Custom Preferences API" http://msdn.microsoft.com/msdnmag/is...ompreferences/
this may also be of interest:
How To Create a DPAPI Library http://msdn.microsoft.com/library/de...secnetht07.asp
I first guessed that using WMI it could be doable (System.Management namespace) but it only provides a way to retrieve information...
I then looked at interop but I couldn't find any library that could do the job for me...
Now, comes my question, what would be your guess to handle this functionality in my program...? I don't care if it has to be written in unmanaged code as my current client users are binded to Windows environments...
Thanks
Amadrias 'Any fool can write code that a computer can understand. Good programmers write code that humans can understand.' Martin Fowler, 'Refactoring: improving the design of existing code', p.15
Just to add some information...
I've found an open source project that provides the kind of features I am
looking for: http://truecrypt.sourceforge.net/
However, the overall is compiled in a single .exe file and not shared as a
..dll that I could therefore import within my project...
Amadrias
"Amadrias" wrote: First thanks for this quick answer...
Unfortunatelly, this doesn't match my client requirements:
On the storage location, I knew that IsolatedStorage could provide me a good place to store preferences data. Now, this doesn't provide a real secured zone as if you are an administrator, you still can have access to the isolated storage locations and manipulate the files which is something my client doesn't want them to be able to do.
The unique way I can answer my client requirements is to programmatically create a new partition on a hard drive or even in a removable storage and then, make this partition not available to windows...
And I need a hand on this part...
Thanks,
Amadrias
"UAError" wrote:
"Amadrias" <Am******@discussions.microsoft.com> wrote:
Hi,
In one of my current projects, I am willing to create a secure zone such as Acronis does in its application to store some confidential information only accessible to the current machine user.
I know that .Net doesn't provide such functionalities therefore I went on MSDN Library and also on Google to look for any solution with no result...
Did you check out isolated storage?
"Isolated Storage" http://msdn.microsoft.com/library/de...tedStorage.asp
"Manage User Settings in Your .NET App with a Custom Preferences API" http://msdn.microsoft.com/msdnmag/is...ompreferences/
this may also be of interest:
How To Create a DPAPI Library http://msdn.microsoft.com/library/de...secnetht07.asp
I first guessed that using WMI it could be doable (System.Management namespace) but it only provides a way to retrieve information...
I then looked at interop but I couldn't find any library that could do the job for me...
Now, comes my question, what would be your guess to handle this functionality in my program...? I don't care if it has to be written in unmanaged code as my current client users are binded to Windows environments...
Thanks
Amadrias 'Any fool can write code that a computer can understand. Good programmers write code that humans can understand.' Martin Fowler, 'Refactoring: improving the design of existing code', p.15
"Amadrias" <Am******@discussions.microsoft.com> wrote: First thanks for this quick answer...
Unfortunatelly, this doesn't match my client requirements:
On the storage location, I knew that IsolatedStorage could provide me a good place to store preferences data. Now, this doesn't provide a real secured zone as if you are an administrator, you still can have access to the isolated storage locations and manipulate the files which is something my client doesn't want them to be able to do.
The unique way I can answer my client requirements is to programmatically create a new partition on a hard drive or even in a removable storage and then, make this partition not available to windows...
And I need a hand on this part...
I've found an open source project that provides the kind of features I am looking for: http://truecrypt.sourceforge.net/
However, the overall is compiled in a single .exe file and not shared as a .dll that I could therefore import within my project...
Amadrias
Looks like you have an uneviable task ahead of you...
Because your client's real vulnerabilty is the lack of trust
in the administrator.
10 Immutable Laws of Security http://www.microsoft.com/technet/arc.../10imlaws.mspx
Law #6: A computer is only as secure as the administrator is
trustworthy
Lets face it, that data will have to be unencrypted at some
point of time to be useful and thats when somebody
sufficiently competent and motivated can get at it
especially with administrator privileges.
You could simply write a wrapper class for truecrypt and use
it through the Process class. http://msdn.microsoft.com/library/de...classtopic.asp
however that would still leave your unencrypted data
vulnerable in your process memory and possibly the paging
file.
Creating a partiton on the disk is a pretty low level
operation - you may simply want to defer that to an
"pre-installation requirement" that there has to an
existing, usable (formatted) partition. Most systems are
delivered fully partitoned and your don't want to have to
reinvent something like "Partition Magic" to shrink an
existing partition to make room for the hidden partition.
That still leaves the unhiding and hiding of the partition
before and after use and all the problems that might entail
through the file system...
A removable 1 GB USB jumpdrive is starting to look real
good...
Good Luck
'Any fool can write code that a computer can understand.
Good programmers write code that humans can understand.'
Martin Fowler,
'Refactoring: improving the design of existing code', p.15
You can always encrypt the contents of the folder and/or files you create
using the user key and DPAPI. An admin cannot read the contents of user
encrypted folders.
Shariq Khan sh****@shariqkhan.com
"Amadrias" <Am******@discussions.microsoft.com> wrote in message
news:17**********************************@microsof t.com... Hi,
In one of my current projects, I am willing to create a secure zone such as Acronis does in its application to store some confidential information only accessible to the current machine user.
I know that .Net doesn't provide such functionalities therefore I went on MSDN Library and also on Google to look for any solution with no result...
I first guessed that using WMI it could be doable (System.Management namespace) but it only provides a way to retrieve information...
I then looked at interop but I couldn't find any library that could do the job for me...
Now, comes my question, what would be your guess to handle this functionality in my program...? I don't care if it has to be written in unmanaged code as my current client users are binded to Windows environments...
Thanks
Amadrias
Amadrias <Am******@discussions.microsoft.com> wrote: Just to add some information...
I've found an open source project that provides the kind of features I am looking for: http://truecrypt.sourceforge.net/
However, the overall is compiled in a single .exe file and not shared as a .dll that I could therefore import within my project...
That's only if you use the compiled exe, however. The project is open
source, so presumably you could compile it to a DLL yourself.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
UAError <nu**@null.null> wrote:
<snip> Law #6: A computer is only as secure as the administrator is trustworthy
Lets face it, that data will have to be unencrypted at some point of time to be useful and thats when somebody sufficiently competent and motivated can get at it especially with administrator privileges.
<snip>
While that's true of computer security *in general*, it's not
necessarily true of all data stored on a computer. If I encrypt a
message with a pass phrase (using a suitably secure algorithm, of
course), and that pass phrase itself is only stored in my head, you
could be the administrator of whatever computer you want - you still
won't be able to get the plaintext without knowing the pass phrase.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jon Skeet [C# MVP] <sk***@pobox.com> wrote: UAError <nu**@null.null> wrote:
<snip>
Law #6: A computer is only as secure as the administrator is trustworthy
Lets face it, that data will have to be unencrypted at some point of time to be useful and thats when somebody sufficiently competent and motivated can get at it especially with administrator privileges.
<snip>
While that's true of computer security *in general*, it's not necessarily true of all data stored on a computer. If I encrypt a message with a pass phrase (using a suitably secure algorithm, of course), and that pass phrase itself is only stored in my head, you could be the administrator of whatever computer you want - you still won't be able to get the plaintext without knowing the pass phrase.
That wasn't my point. You are simply referring do the data
in its encrypted state - but somebody with administrative
privileges has the means to disclose your secrets when YOU
are working with them in their UNENCRYPTED state.
The key phrase here is "sufficiently competent and
motivated". An attacker with local administrator privileges
could install utilities to snap shot your process memory
and/or paging file to capture your unencrypted secrets. A
network administrator could do the same remotely. This puts
additional pressure on the developer to keep the unencrypted
secrets from being swapped to the paging file, erasing any
buffer memory used and to leave secrets unencrypted for the
shortest possible window inside the application. However the
secrets remain vulnerable while they are being displayed to
the user in the clear.
So you could say "it IS necessarily true for all data USED
on the computer".
UAError <nu**@null.null> wrote: While that's true of computer security *in general*, it's not necessarily true of all data stored on a computer. If I encrypt a message with a pass phrase (using a suitably secure algorithm, of course), and that pass phrase itself is only stored in my head, you could be the administrator of whatever computer you want - you still won't be able to get the plaintext without knowing the pass phrase.
That wasn't my point. You are simply referring do the data in its encrypted state - but somebody with administrative privileges has the means to disclose your secrets when YOU are working with them in their UNENCRYPTED state.
You're assuming that the unencrypted data is ever present on the
computer. I could email you an encrypted file, and whatever rights you
have on your computer, you wouldn't be able to decrypt it. There's
nothing to say that I would then need to decrypt it at any stage on
your computer. You could keep it for me and then pass it back to me for
decryption on my trusted computer at a later date.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jon Skeet [C# MVP] <sk***@pobox.com> wrote: UAError <nu**@null.null> wrote: >While that's true of computer security *in general*, it's not >necessarily true of all data stored on a computer. If I encrypt a >message with a pass phrase (using a suitably secure algorithm, of >course), and that pass phrase itself is only stored in my head, you >could be the administrator of whatever computer you want - you still >won't be able to get the plaintext without knowing the pass phrase.
That wasn't my point. You are simply referring do the data in its encrypted state - but somebody with administrative privileges has the means to disclose your secrets when YOU are working with them in their UNENCRYPTED state.
You're assuming that the unencrypted data is ever present on the computer. I could email you an encrypted file, and whatever rights you have on your computer, you wouldn't be able to decrypt it. There's nothing to say that I would then need to decrypt it at any stage on your computer. You could keep it for me and then pass it back to me for decryption on my trusted computer at a later date.
Again you are entirely missing the point. Your scenario is
sound simply because the data is never decrypted. Here I'm
not concerned with the administrators of the machines where
the encrypted data resides - though they still have ample of
opportunity for brute force attacks.
I was concerned with the administrators of the machines
where the data is being encryted, decrypted and worked with.
So you still have to be able to TRUST the administrator of
your TRUSTED computer - otherwise your are vulnerable to
"eavesdropping"/"monitoring" while you work with your
(unencrypted) precious secrets. There is no point of having
encrypted data that will never be decrypted - you might as
well destroy it.
UAError <nu**@null.null> wrote: You're assuming that the unencrypted data is ever present on the computer. I could email you an encrypted file, and whatever rights you have on your computer, you wouldn't be able to decrypt it. There's nothing to say that I would then need to decrypt it at any stage on your computer. You could keep it for me and then pass it back to me for decryption on my trusted computer at a later date.
Again you are entirely missing the point. Your scenario is sound simply because the data is never decrypted. Here I'm not concerned with the administrators of the machines where the encrypted data resides - though they still have ample of opportunity for brute force attacks.
I was concerned with the administrators of the machines where the data is being encryted, decrypted and worked with.
So you still have to be able to TRUST the administrator of your TRUSTED computer - otherwise your are vulnerable to "eavesdropping"/"monitoring" while you work with your (unencrypted) precious secrets. There is no point of having encrypted data that will never be decrypted - you might as well destroy it.
Yes, you have to trust the administrator of the trusted computer. That
much I wouldn't deny. I was only disagreeing with your idea that if you
store data on any computer in any way, and that computer has an
untrustworthy administrator, your data is insecure. My scenario is a
counter-example to that.
--
Jon Skeet - <sk***@pobox.com> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Amadrias |
last post by:
Hi,
In one of my current projects, I am willing to create a secure zone such as
Acronis does in its application to store some confidential information only
accessible to the current machine...
|
by: Null Reference |
last post by:
Anybody here who can explain or point me to a link ?
I wish to create a blank MS Access DB file programmatically
using C# .
Thanks, nfs
|
by: John Salerno |
last post by:
Forgive my excitement, especially if you are already aware of this, but
this seems like the kind of feature that is easily overlooked (yet could
be very useful):
Both 8-bit and Unicode strings...
|
by: cpressley2 |
last post by:
Hi,
On a multi-partition instance, can you create a database on a single
parition? How???
The db architects want to use one instance for four databases where
only one is big enough for a...
|
by: Laurence |
last post by:
Hi folks,
As I konw: database partition (aka data partition?), the database can
span multiple machines; table partition, the data within a table can
seperate by certain condition.
How about...
|
by: m.smith_1999 |
last post by:
Hello,
I'm a student software developer.
As a part of an excerise I'm doing I'm trying to build a program to
create "mount files" and mount them.
Something like Sarah Dean's OTFE but really...
|
by: ALLYWEIR |
last post by:
Hi,
I am trying to create a partitoned table using the following:-
CREATE TABLE ORDERS(ID INT, SHIPDATE DATE)
PARTITION BY RANGE(SHIPDATE)
(
STARTING '1/1/2006' ENDING...
|
by: nbajrach |
last post by:
how to partition on a table if table already exits without any partition.
This is what i tried but gave me error
SQL> alter table sip add partition by range(si_id)
2 partition p1_si...
|
by: Geolas |
last post by:
Hi, new to this community.I am not really sure if this was the right place, because this community seem to be for developers really.
Well my question is, as the topic states, how to create a...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |