tags:

views:

81

answers:

2
+5  Q: 

simple encryption survey

Suppose you are writing a survey application and would like to somehow guarantee results to be secure from user stand point. Put simply, i know what IP you came from but i want to make sure you sleep well at night knowing i know nothing of your responses. I can't store IP in raw form.

I do need to guarantee 1 thing though, that is that you answer questions once. So once your PC comes in with some data, i need to recognize that your PC already has responsed to the survey.

Any suggestions on how to best handle it?

Thanks -mac

+5  A: 

Create a one-way hash of the IP address (and any other unique identifying attributes), and store the hash with the response. That way no one can lookup the IP address for a response, but you can compare the hash to previously submitted responses to keep ensure people only submit the form once.

There's not much you can do to convince someone your respecting their privacy. Just don't abuse the trust, and people will work it out.

(For an idea on how to create a hash in java see http://stackoverflow.com/questions/415953/generate-md5-hash-in-java)

jimmycavnz  2010-08-25 02:13:43
Cool! This is similar to how Gmail does not actually store our passwords, but hashes instead. This solves half of the problem, so that already proves me wrong.
Hamish Grubijan  2010-08-25 02:22:31
You'd have to **heavily** iterate the hash (tiny keyspace...). But even then, if you want to be able to verify the hash in a feasible amount of time, the adversary would be able to pick an IP address and check if it matches the hash or not. He can narrow it down to a smaller range than 2^32.
Longpoke  2010-08-25 02:23:01
This idea has two problems: 1. Multiple employees sharing the same computer. It will block the second employee from completing the survey. 2. One employee using multiple computers to bypass the one employee, one survey guarantee.But I agree heavily with "There's not much you can do to convince someone your respecting their privacy. Just don't abuse the trust, and people will work it out."
emory  2010-08-25 02:30:27
@Longpoke and @emory: which is why you would add extra identifying attributes. More attributes (such as a browser session id/ or even their surname) would make it harder for attackers, and will also make the identifier *more* unique.
jimmycavnz  2010-08-25 03:24:41
@jimmycavnz: I'm not sure I understand what you're getting at. By "session ID" do you mean a randomly generated token? Then the user can just clear his cookie and get a new one and thus vote again? Same for surname.
Longpoke  2010-08-25 04:44:07
+2  A: 

You can't guarantee either of these. All you can do is raise the bar so it's harder to get around it. If someone really wants to get around your tracking they can if they know enough about your system. Good thing is most people either don't want to bother or don't know how.

You can generate a cryptographic hash and store that in a cookie on the persons browser if you want to prevent proxy problem. Lots of websites do this to keep session creation to track authentication. This is something like using an HMAC to generate something that identifies the browser with a unique key that can't be faked. If they clear their browser though you won't be able to track them.

One way hash of IP address is a way to keep your IP from being tracked, but the same IP always hashes to the same value so you can tell if someone is doing that. However if they go to an internet cafe viola they can resubmit. You'd use SHA1, MD5, etc for that.

You can do the same thing with email address and hash it. To get people to want to participate send the results to their email address instead of displaying in the browser. People just have to trust you won't do nasty things with their email.

Other ideas might be if you know who you want to send the survey too. Generate a random number that identifies the individual response. Then email those links to people. They will then submit under that number, and you don't track email -> random number then you can't correlate the answers with the email address. Once a random number is used once you don't let them submit it again. Track Responses once. Display results many times.

You can combine some of these together to try and work around the deficiencies of the other.

chubbard  2010-08-25 04:01:11

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords