Menu
I want to be able to create a file, distribute it to an end-user, but prevent them from making modifications to the file.
Now, obviously, I can't actually stop anybody from modifying the file - so my approach is to detect and reject the file if it's modified.
My intention is to generate a salted hash of the file contents and append it to the file. On reading, the hash is verified before reading the rest of the file. The downside of this is that I have to distribute the fixed "salt" in the executable which reads the file. Obviously I can obfuscate it to some extent, but that still feels like a weak link.
Are there any better approaches to solving this kind of problem?
902
You want append a digital signature to your document. This is an area which has been extensively studied. In short, you can with a fair amount of certainty make sure that the file has not been tampered with, but you can't prevent the user from tampering with it.
(The comparison with the music industry is not fully relevant, as they want to prevent people from copying the file as well, which is a much harder problem.)
139
If your application runs on the user's machines, they could always patch the binary so doesn't even do the verification, rendering all your hard work useless :-)
Even a server side solution can be bypassed by sniffing the traffic. So then you need to one up them and use SSL. And then they just patched the binary as above, and there goes that. So then you employ various measures to obfuscate your binary, and your users whip out a disassembler like IDA PRO.
The question I would be asking myself, were I in your position, would be "If I get into an arms race with my users, would I win?". If the answer is no, then I won't waste my time.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
