tags:

views:

175

answers:

2
Q: 

How to implement/use a secure 'read-once' local file access system?

Hi, does anybody know of a secure 'read-once' local file access system? Or how one might create one? I realise that if data is to be used on a system, then it must be capable of being read, but I think it may be possible to severely limit how data is made available and reduce the possibility of it being copied and used elsewhere.

These are my requirements:

I want to store a 'secure/encrypted' data-file on a USB stick (could be read-only CD/DVD, but better if read/write USB or even a floppy) and have this file capable of being read once (and mainly only once), on a decoded block-by-block basis, once a password has been entered. The file content is probably basic text/xml (or text-encoded data) and is to be read mainly as a sequential stream. The data (ideally) can be read by normal windows file-access methods, ie: a std file, FSO objects (stream and text file), all BASIC PC (VB6/VB.NET) file handling methods, even Excel text (import). yes, I know this probably defeats the object (as such a file can then be opened/saved), but I would still want this possibility. Finally, once the 'access' criteria had been met, the device would prevent further access.

Access to the data would be on a local PC system only. No LAN, no device sharing supported. Data on the device should not be copyable by normal means. Data would be written to the device using normal methods if possible or a special application if necessary.

To keep things simple, just one password, one file, one use, and one user would be great, but other possible enhancements include: (as icing on the cake)...

  • allowing 'n' opens
  • having multiple passwords 2 or more users, acting individually
  • silo-passwords, having 2 more users sign together to get access (or even having at least n from m more users sign together to get access)
  • Password prompt should be given on first block-access, independent of application calling the first block
  • Password could be embedded/automatic
  • tie the access to a nominated machine/mac/ip/disk serial number (or other machine-code)
  • tie the access to a nominated program /application
  • if possible, delete and securely overwrite the data file

My first guess at doing this suggests that it would need a 'psuedo-device' driver that would appear as an extention to (or replacement of) the std removable-device driver. The driver would handle each file block, sector by sector, and refuse to server further decoded blocks if not authorised. The device should not give normal directory listings, but some some form of content summary may be given to a user (optional).

Unlike a DRM system, I don't want any form of on-line acces/authentication (but would consider it), I would prefer a self-contained system.

I have looked long and hard for a such a device/system, and haven't found one yet. Most devices and system tools (eg: Iomega/ironkey) appear to unlock access to files, but without limit, ie: read-many, once unlocked.

Performance is not an issue. Slow floppy read-rate would be okay. Encyption method is agnostic, anything reasonably strong 40bit+ (128bit) would be fine. I can't tell you what the data is or whats its for, I just need a way to give data to somebody and limit its use as far as possible and what they can do with it. Its a real requirement to protect confidential data and not meant for DRM or MP3s/Videos or similar.

I am an 'office' developer and not really familiar with device-drivers or DRM - Now where would I start with such a project? Is there anything out-there available to joe-public already?

Thanks - Tim.

PS: Update

I should point out that I just wish to pass data between ourselves and a single specific nominated service-provider. I don't want them to copy the data we provide. It will be used once to support a 'singular' one-off process and then be done-with. As the data is 'streamed/read' it should be 'consumed'. if the process fails, we will re-issue the data to the service-provider. the data remains our property, it is not being sold/licensed.

I do realise that no solution will be foolproof, but the risk/reward ratio should dissuade casual attempts to break the system. The data has no explicit commercial value.

PPS: Its a real requirement... What would you do?

Judging by the upvotes on @eriksons thoughtful answer, you guys are saying 'not possible / don't bother' - but apart from personally supervising that the data is used according to our wishes, what would you do?

+4  A: 

Executive summary: this isn't a realistic solution. Re-think the process so that "read-once" isn't necessary.

A few companies (Disappearing Inc. comes to mind, and they had at least one competitor) tried to make "self-destructing" email on general-purpose hardware in the late 90s. They spent millions of dot.com dollars to develop systems that didn't really work.

The only potential solution I know of is the use of a Trusted Platform Module. These are fairly common, as they are required in all computers bought by the US government. However, their capabilities vary. You'd need one that supported something called remote attestation, which allows software to perform integrity checks on itself. With this capability, you could write software that would enforce your data destruction policy. However, I don't think this feature is widely used. My laptop has a TPM, but it doesn't support this.

You should also be aware that there is a lot of hostility against "trusted computing," because it can be used to limit the functionality of a machine. This violates the right to do as you please with your property. TPMs might make sense for corporate or government machines, but not for personal computers.

Other aspects of your problem, such as granting multiple users access to the data, requiring multiple users to gain access to the data are easier.

Encrypting data for multiple users is typically achieved by generating a key, encrypting the data with that "content encryption key", then encrypting the key (which is relatively small) with a "key encryption key" (which could be a password) belonging to each intended recipient.

Requiring some number of users to enter a password can be done securely with Shamir Secret Sharing, as I learned here on SO.

Based on the comments on the question, especially the "mailing label printing service" analogy, I'm afraid my initial answer isn't really relevant.

In a case like that, I can only see a legal solution. Disallow storage of your data in the contract. If it's worth suing them for violating the contract, do so.

Cryptographically speaking, the best thing I could think of would be to "watermark" such a "mailing list" with information that would help me prove that a copy of the list was disclosed by a particular vendor. Knowing that a watermark exists might deter any deliberate disclosures, and could help leverage a fast settlement in the case of accidental disclosure. This could use steganographic techniques within records as well as fake records in the collection.

Algorithms for doing this might already exist, but I'm not familiar with the field. Researching "digital watermarks" might be useful. Even if it only turns up algorithms for protected video and audio, perhaps these could be adapted to work with other media.

erickson  2009-09-14 17:18:37
+1: DRM is bad, m'kay? Don't do it, m'kay?
Trevor Harrison  2009-09-14 17:27:58
@erickson: I've added a little clarifcation to my requirements. rethinking the process is not an option. The alternative is to personally 'supervise' the data usage each time it is needed which is not entirely practical or welcome. Bear in mind we have contracts with the recipient, but we believe prevention is better than cure. To be fair, the 'silo password access' is probably a distraction. Self-destructing email is a different prospect entirely (even if it can be recalled [lotus-Notes]). The TPM solution is probably overkill, but I'll look into it). Thanks for your suggestions, appreciated!
andora  2009-09-14 17:42:04
@Trevor: DRM is not bad in principal, in practice it may be awkward and annoying, but I assure it is necessary. Without the form of DRM I require in a world of escalating id-theft, the problem will only get worse. The sooner a working 'read-n' system is in wide circulation, the better.
andora  2009-09-14 17:46:47
@andora: I disagree. DRM IS bad in principal. It assumes a computing model that would turn us all into helpless 'users'. In a world of general purpose computers, DRM has no place.Obviously it is currently a tool to attempt to take away 'commercial' freedoms. Luckily it fails because of its inherent (uncorrectable) flaws. A future where there is perfect DRM scares the crap out of me because of the other changes that would be necessary to make that happen.
Trevor Harrison  2009-09-14 18:15:48
@andora: [for some reason this has got me riled up. advance apologies for taking it out on your question] People that implement fatally flawed DRM type schemes, get burned, and then run to the gov't, crying, to make all those evil hackers stop abusing their system get little to no sympathy from me. The government's 'solution' is much worse than the damage caused by the eeeevil hackers.
Trevor Harrison  2009-09-14 18:24:42
@erickson: ok, but as I said, prevention is better than cure. Seeding the data assumes a) we find out after the break-out and b) the legal recourse is worthwhile, it isn't! Some form of 'read-once' mechansim would provide more peace of mind, and wouldn't exclude any additional measures.
andora  2009-09-14 19:05:36
@trevor: 1. I'm not going to discuss the rights/wrongs DRM with respect to copyright/big brother/commercial exploitation, etc, etc. All I will say is a) DRM=the law, without the law, we have disorder, even if it lmits your freedoms. What I seek to do is protect personal data, I am not aiming to limit freedom, but grant it by protecting it from abuse/misuse. The R=Rights: it is my right I seek to protect. I accept you don't agree with or like DRM, but I am not asking for your opinion on DRM. Thank you.
andora  2009-09-14 19:19:40
@andora: your right to swing your fist around in the air ends at my nose^Hcomputer :-) I agree this isn't the best place to discuss this, and I don't know why I felt strongly enough to vent yesterday.
Trevor Harrison  2009-09-16 15:44:33
+1  A: 

There are several problems with your approach.

  1. If you can read the data from any application, you can safe the data anywhere. I would think this would defeat the purpose of any 'only-one-access' policy.
  2. To get a device driver to handle your scenario, you would need deep knowledge of file-system-programming, which at least under windows is no easy undertaking. Even then, it would be hard to enforce the one time access prerequisite.
  3. Programs have different file-access strategies, which might break your assumptions. E.g. an application may open a file once to get its size, then close and reopen it, to load its data. How should this be enforced? Do you want to limit 'OpenFile' calls? do you want to limit 'read byte' calls? Do you want to limit ... jumping around in the file?
  4. When your medium gets copied, by whatever means, you have no way of knowing that. The games industry tries to bind the game to the original CD for years, but failed miserably for years.

I think, what would be feasible, would be a container format, with a encoder/decoder, or something like that. (See Bitlocker in Windows7) That would guarantee, that you can only decode the data once to a local disc and would then delete the container on your medium (beware, check first if the medium is writable, and bind the container to an serial-number or name of the medium so that the container cannot be copied).

Another possibility would be a separate USB device, which you can only use once to extract the data from it. Then you would only need to write a driver once in user mode with WinUSB. Encrypted USB-Sticks use this approach.

But I really think this is a bad idea, because you can very easily get around any counter measurement, when the receiving person can read all data from the medium and safe it anywhere else.

Christopher  2009-09-14 18:34:08
@Christopher I know its not ideal! 1.The legit process has to run once to get result. The legit process cannot copy/display the data only read it and process it. So, cannot be stored somewhere else as well if read-once. 2.Good point,not impossible!3.Good point.Okay to open file x tmes, but only deliver 1 sector once. After delvery, write sector null/blank/spaces. Can read x times, but 2nd time get nothing useful. 4. true. But I am customer for end-result, if works, then I get the valid result and service provider gets nothing. Container might work? If can tie to app can limit how file is read!
andora  2009-09-14 19:36:50
I think what Chris is emphasizing in point #1 is that if an application can read your file one time, you don't know what it's done with the data. As it reads---the one time it's permitted---information into memory to perform the requested service, what's to stop it from storing a copy of the data in an unprotected file?
erickson  2009-09-15 05:44:42
@all: thank you for your comments. Trying to patch-up security partway in a process seems like folly unless I can truly deal with the end-to-end process - which I can't! I had thought I wanted something like the Mission Impossible Tape which self-destructs, but even that could be recorded before the 5secs self-destruct! Time to think again! (But still open to suggestions!)...
andora  2009-09-15 09:03:06
The best way to proceed would be to think of a format for your client, which he can only use with your own software. This is the way all DRM schemes work. If you own the application to show the data, you can impose restrictions. Another possibility is 'to speak in the terms of your own example', maybe send the client image files so that he cannot 'easily' extract the address data, but can print them out.
Christopher  2009-09-15 09:57:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security