tags:

views:

76

answers:

3
Q: 

Using an encrypted file securely

I'm writing an application with a dBASE database file in Borland Delphi 7.

Note: I think this question is file-security related and you can forget the dBASE thing (consider it as a TXT file) in this question.

The database must be accessed just by the application. Then it must be encrypted. Unfortunately dBASE doesn't support any password mechanism and i had to encrypt the file by myself (and i also HAVE to use dBASE)

What approach do you suggest to secure the database file?

The simple one is:

  1. Encrypting the database file and placing it near beside the application EXE file.
  2. When the application runs, it should decrypt the file (with a hard-coded password) and copy the result to a temporary file that has DeleteOnClose and NoSharingPermission flags.
  3. When Closing, application should encrypt the temp dBASE file and replaces the old encrypted file with the new one.

I think this is a fair secure approach. But it have two big problems:

  1. With an undelete tool the user can restore and access to the deleted temp file.
  2. Worse: When application is running, if the system rebooted suddenly the DeleteOnClose flag fails and the temp file remains on hard disk and user can access it.

Is there any solution for, at least, the second part?

Is there any other solution?

A: 

Encrypting the data in the database instead of the dBASE file is one option.

(Note: a dedicated snooper will still extract the password from the binary)

Nifle  2010-01-10 14:38:00
Processing all records of dBASE file takes a lot of time. So this is not practical.
Isaac  2010-01-10 14:52:35
A: 

Expanding on Nifle's answer -- depending on what you're doing with the database, you may be able to get away with just decrypting the records you actually need. For example, you could build indexes based on hash codes (rather than real data); this would reduce seeks into the database to a smaller set of data. Each record in the subset would have to be decrypted, but this could be a lot better than decrypting the entire database.

Marc Bernier  2010-01-10 23:55:51
+1  A: 

You could also try to create a TrueCrypt file-based containter, mount it, and then put the dBase file inside the mounted encrypted volume. TrueCrypt is free (in both senses) and it's accessible via command line parameters from your application (mount before start, unmount before quit).

dnet  2010-01-11 00:03:40
I still have not tested it but seems the right solution ;)
Isaac  2010-07-22 15:39:46

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords