I'm working with a listview control which saves the data using AES encryption to a file. I need to keep the data of every item in listview in std::list class of std::string. should I just keep the data encrypted in std::list and decrypt to a local variable when its needed? or is it enough to keep it encrypted in file only?
+6
A:
To answer this question you need to consider who your attackers are (i.e. who are you trying to hide the data from?).
For this purpose, it helps if you work up a simple Threat Model (basically: Who you are worried about, what you want to protect, the types of attacks they may carry out, and the risks thereof).
Once this is done, you can determine if it is worth your effort to protect the data from being written to the disk (even when held decrypted only in memory).
I know this answer may not seem useful, but I hope it helps you to become aware that you need to specifically state (and hence know) you your attackers are, before you can correctly defend against them (i.e, you may end up implementing completely useless defenses, and so on).
Noon Silk
2010-02-27 12:09:24
A:
Will you be decrypting the same item more than once? If you aren't concerned about in-memory attacks then performance might be the other issue to consider.
If you have time it may be worth coding your solution to allow for both eventualities. Therefore if you choose to cache encrypted, then it's not too much work to change to a decrypted in-memory solution later on if performance becomes an issue.
Robin Welch
2010-02-27 13:42:14
Yes, It would be decrypting the same item when needed. but right now I'm concerned about how would i sort the items if they're kept encrypted in container?
Dave18
2010-02-27 14:11:08
@Dave17: You can hold some metadata to allow easy sorting (i.e. a SortIndex doesn't really need to be encrypted). But it's worthwhile considering if this leaks any information (it may or may not) to an attacker. As always, the more you implement, the more risk there is, due to increased surface area for attack, and the more prone to errors you are.
Noon Silk
2010-02-27 14:26:04
but why do you need to encrypt the data if your already viewing it in listview? wouldn't it be better to just lock that memory area?
Dave18
2010-02-27 14:53:16
A:
It is unclear what attack you are attempting to defend against. If the attacker has local access to the system then they can attach a debugger like OllyDBG to the process to observe its memory. The attack would be to set a break point at the call to AES and then observe the data being passed in and returned, very simple.
Rook
2010-02-27 19:21:41
A:
I agree with answer from silky that you have to start with a basic threat model. Just wanted to pointed out that when handling sensitive information in memory, you have every right to be concerned that the information may end up on disk even if you do not write it out.
For example, the data in memory could be written to swap space or could end up in a core file and from there on elsewhere (such as an email attachment or copied to other places). You can deal with these without encrypting data in memory since that may just shift the problem to dealing with key to decrypt that data...
mar
2010-02-27 20:27:38