• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 613
  • Last Modified:

How secure is a AES-128 encrypted archive from illegal copying and distributing?

How secure is a AES-128 encrypted archive from illegal copying and distributing?

If I have a database that is stored in an AES-128 encrypted archive, is this the most secure way of protection against illegal distribution (as torrents etc.)? Will it work as well for PDF:s also?

Somehow, this encrypted archive has to be tied to one single computer only (only possible to open on that particular computer). Is that possible today to guarantee success doing so, without any backdoors to tie it up and copy the PDF to other computers?

Will it have high copyprotection on any operative system, so that it's not easier on a Linux for example to modify the file and remove the copyprotection?

 
0
hermesalpha
Asked:
hermesalpha
  • 3
  • 2
  • 2
  • +1
4 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
If it is a file, it can be copied and distributed.  If it is a file that uses AES-128 encryption, then a key is needed to decrypt it and use it.  And that is the weak point.  It is usually much easier to get the key than it is to break the encryption.  Currently it takes time on a supercomputer to even come close to breaking it.  So unless you are encrypting an important national secret, it is unlikely to be cracked.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
If the end user can unlock content using a key, a hacker can unlock the content permanently, by embedding the actual session key into the code and repackaging (or depending on content, just repackaging the content in unencrypted form)

only in cases where the encrypted data is difficult to decrypt in full in a single pass (for example, if it is unlocked by access to a website which allows only a fraction of the content to be decrypted on any given day, for each key) or where the content is watermarked so that it can be identified back to the original authorized user, is there any real chance of preventing redistribution, and in many cases that is merely a speed bump (the attacker will get the full set of content using multiple keys and/or multiple requests over the space of days, and will use stolen identity information to ensure the purchase can't be linked back)

all you can really do is make it more difficult for the attacker, and if your data is sufficiently valuable, they *will* take the time and trouble to bypass the protection.
0
 
jrzagarCommented:
In short, that encrypted archive is only secure as the key you used to encrypt it.  If you store that key on the same server with the file, then both the key and the file can be stolen if the server is compromised.

If that archive is an active file (i.e. not at rest), then a copy of your data is somewhere on the system either as a temporary file or somewhere in ram.  Again, your data can be stolen if the server is compromised.

The only way to make sure your data can't be used on another system is if the encryption is tied to a hardware function, like the TPM chip in many laptops, or a self-encrypting drive.  If you do pursue a hardware solution like that, you better make damned sure you have good backups because your data will be useless when that hardware fails.

Please note that I said "WHEN your hardware fails", not "IF".
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
hermesalphaAuthor Commented:
irzaqar,

I haven't encountered but one instance where the software vendor has done exactly this: tied the encryption to a hardware function. What's the reason? I mean, it seems to work very well, it was a bit inconvenient for me as a customer when I bought the software (Chinese character bible), but it seems to work (although I didn't try to break the encryption or anything). It's this software I'm talking about: http://www.globechinese.com/

The procedure was that I purchased the Chinese character bible, then launched it to generate a request for a licence file. I sent this request to the software vendor (which was a registration code). I then received a registration file which I had to save in a particular folder on my laptop.

I wonder if this procedure would be completely watertight?

I'm going to cooperate with a software vendor who will incorporate my add-on in his software. So I want to make certain my add-on will be as much protected as is possible today from illegal copying.

0
 
jrzagarCommented:
If what you're looking to do is protect your software from illegal use, I'd strongly recommend you look at FlexLM / FlexNet from Flexera.

This software has a very long history (+15y) of preventing software piracy and is used on software packages costing hundreds to tens of thousands of dollars.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
hahahahaha.

FlexLM and FlexNet is routinely bypassed by pirates. It inconveniences legitimate users, and gives little or no protection.

Only hardware dongles give any real protection, and even then, only if some of the functionality is actually embedded in the dongle (otherwise, the parts of the code that test for the dongle will simply be commented out; just look at the past history of games looking for "genuine" media in the drive for examples here)
0
 
hermesalphaAuthor Commented:
But I think there are a few software vendors that have been successful in preventing their software to be circulated as pirated, like SDL Trados. And Chinese character bible. SDL Trados used a dongle some years ago, but have changed that. But I think they have been successful in preventing pirating of their CAT-tools.

If I tie my PDF to a hardware component (like a chip) in a specific computer, plus tie the PDF to the software it will become an add-on to, plus storing it in an AES-128 encrypted archive, would these three measures be the best copy protection I could get? Or should I need to add a fourth component, like the one Chinese character bible uses, or like SDL Trados used earlier (with a hardware physical dongle)?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
No, there aren't. the only vendors that have not had software pirated are those whose software is sufficiently obscure that pirates can't get hold of a legit installer to pirate from, are tied to hardware (which is common in automation systems, for example) or have a hardware component.  

I have also seen good results from watermarking, provided your user base is small enough you can manually verify each one (otherwise, the watermark will turn out to be for either stolen details or simply made up) and of course anything with a software-as-a-service component tends to be pretty secure (depends on how dynamic that is though; if it needs to have a downloadable but local db, then that will be downloaded and bundled with the pirate copy. at that point, you may find people *prefer* the pirated copy :)

Usually its worth making at least SOME effort in the right direction, but not pulling out all the stops. Accept that there will be some pirate activity (and pursue that though the courts as appropriate) and put a halfway decent licence-key solution in place so that nobody can claim they didn't know they were using pirated software, but otherwise the effort involved (and lost sales due to the inconvenience of accessing licence servers and verification services, unless your product will usually be used online) isn't justified by the benefit.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now