?
Solved

Temporary / Expiring Encryption Passwords

Posted on 2012-09-02
11
Medium Priority
?
914 Views
Last Modified: 2012-10-20
I had a good look at truecrypt's documentation and I can't see any way to create a temporary password for a container/volume (i.e. one that will expire after a set period unless renewed by a master password). Have I missed something?
Can it be done in truecrypt, or any other similar product?
0
Comment
Question by:Eirman
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38359271
For that you need a digital rights management product.  Truecrypt is an encryption product not a drm product.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 38360196
Hi.

What's your goal? Would you like to force users to change their encryption passwords from time to time?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38360226
That is not possible, as you can't rely on the system clock to be honest.

The only approach you can make really is to have a challenge-response server that fails to supply the key after a certain date, and even then, a wily (and admittedly, very skilled) attacker could hack the code so as to expose and accept the master keys (which won't change, even if you change the password on the container)
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 24

Author Comment

by:Eirman
ID: 38360506
What's your goal? Would you like to force users to change their encryption passwords from time to time?
That's not what I have in mind. I just want to give someone a password to sensitive data that will automatically disappear after say .... one month (or say  ... three usages).

Regarding the system clock ..... There are various utilities such as Run As Date or Date Cracker 2000, out there that reset the clock when you launch a shareware program. However they don't work if the program is designed properly.

Somewhat off topic ....  on my home intruder alarm system, I can set a temporary code that can only be used a specified number of times ..... handy for tradesmen!
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38360535
An application is one thing a data file is something else.. even if you wrapped the data inside of an .exe at some point the user will have the decrypted information and can use many techniques to save a copy that is not encrypted.

If I can see it I can copy it.. maybe adobe acrobat/word won't let me copy but I can do a screen capture and then ocr that ..

All you can do is make it more difficult.. for instance if it is that sensitive then NEVER give the user a copy of it.. they must logon to a secure server and then only then do they have access to it.. Preferably via an application that does the logon and the data is encyphered between the originating site (yours) and their screen.
0
 
LVL 24

Author Comment

by:Eirman
ID: 38360573
Thanks the input ve3ofa.

I don't care if they can access / copy the data now. In fact full access NOW is an essential requirement.

I just don't want them to be able to do so in say .... three months from now, unless I, in the meantime, add more time to the temporary password's expiration date.

I know I can delete temporary password as required ... I just want to automate this process, and have them disappear if I forget to delete them.

I don't want temporary passwords to last forever.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 999 total points
ID: 38360685
I think the issue here is that you are confusing encryption with access.

It is trivial to have a solution that expires access - most common directory services have an account expiry date (edirectory or active directory, for example) and hooking that to a file access protocol (any of the encrypted FTP variants, cifs, web etc)

It is harder to "gate" mutiuser access to cryptography, as invariably, the data is encrypted with a key that is then PKI-encrypted to each recipient; you can of course then just stop encrypting data to a recipient at a given date, but that's not the same as also locking them out of any files they may have had access to but not already seen.

So, don't get yourself too focussed on the encryption, that's largely a non-issue when discussing access.
0
 
LVL 24

Author Comment

by:Eirman
ID: 38406677
I have never deleted a question like this, where so many contributions have been made by well qualified experts. Normally a B grade would be warranted by that amount of input, even if no complete solution was alluded to.

I don't like deleting questions as it can irk experts who's expertise I will most likely need in the future. However in this case can't award points just to keep things uncomplicated. In this case no one seemed to get my simple question.

Having researched a bit more I have concluded that no encryption programs that I can find have passwords that expire after a certain time period (or number of uses).

The simple answer for full points was .... There is no such encryption program

I'm going to request a formal deletion in a few days unless I get an informal objection from one of the original contributors.

Many thanks to everyone.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 501 total points
ID: 38406719
Feel free to close it, buthave a look at http://www.experts-exchange.com/Software/Office_Productivity/Q_27785969.html was asked by me some time ago and DRM was the solution. DRM is of course some form of encryption, although it is not a standalone encryptor.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 999 total points
ID: 38408579
@Eirman:
  You could probably write such a thing, but it would take custom code. About all I can think of "out of the box" is that you could use EFS to protect individual files or folders, hold the keys in active directory, and delete the keys for any users whose access you wish to revoke (hoping of course that they don't have their own backups). The overheads would be considerable though, and no better than simply having a file share exposed to the users and revoking their access via Active Directory.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38410193
I did give you 2 options one is digital rights management, the other is to store the information elsewhere and there you control access to the file.. The only one which it will be on their computer is using DRM..  Encryption never expires.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question