What technique can protect a secret from a fully trusted user?

Question

I am programming a system using C#. My program generates a small message (a hash digest for a file) that I want to store on the hard disk - but I don't want the user to be able to read it. I was going to encrypt this message, but someone has suggested this is A BAD IDEA.

So I'm looking for alternatives - how do you protect a piece of secret information from a fully trusted user?

Answer 1

Take a step back; you've got a solution that fundamentally doesn't work for the problem you've got. Instead of trying to hammer on it until it works, stop, step back, and solve the real problem.

Security problems that involve real money are some of the hardest problems to solve; bad people have a real financial motive to attack your system. A multi-pronged approach is usually best for these sorts of things.

First, write a threat model:

• identify every resource that needs protecting (your resources AND your benign customer's resources, like their private financial data)
• estimate its value to you
• estimate its value to an attacker
• think of what vulnerabilities expose the resource to attack
• characterize the threat -- who is the attacker and what is their motivation?

Once you know the resources, threats and vulnerabilities, only then start thinking of mitigations to those threats. Assign costs and effectivenesses to each of the mitigations.

For example:

• resource: my TV set
• Value to me: $400
• value to attacker: $40
• vulnerability: unlocked bathroom window
• threat: thieves or vandals use the window to get access to the TV

OK, now that I know what the attacks are, I can start thinking about mitigations:

• lock the window
• get an alarm system
• dogs
• guards

Those are in increasing order of expense. Eventually the cost of the mitigation is larger than the loss of the resource, and it makes no sense to spend the money.

There are also ways to externalize the costs of mitigation:

• threaten the attacker with prosecution -- taxpayers pay for this
• insure the television against theft, reducing the cost of a successful attack against me.
• and so on.

Encrypting a file that contains user data on a user machine is not a mitigation of any attack. Figure out what the attacks are and what actually mitigates them, including options like siccing the feds on attackers, and then implement a system that actually mitigates your vulnerabilities and eliminates the threats.

Your proposed mitigation is: give the key to the thief and require the thief to lock the window before he attempts to steal the television. This is not a mitigation of the vulnerability. No proposal which involves handing the key to the thief is a mitigation of the unlocked window vulnerability, so stop trying to find one.

For more "software" focused examples of threat modeling, see:

http://download.microsoft.com/download/3/a/7/3a7fa450-1f33-41f7-9e6d-3aa95b5a6aea/MSDNMagazineNovember2006en-us.chm

http://www.owasp.org/index.php/Threat_Risk_Modeling

http://msdn.microsoft.com/en-us/library/aa302419.aspx

And so on; you can find lots of stuff on the web about how we do threat modeling here at Microsoft.

Finally:

Get a security professional involved.

Seriously, you are biting off one of the hardest jobs there is in software implementation, where the consequences of small mistakes have major financial implications. Spend your implementation budget on a top-notch expert consultant who has expertise in this area and can help you find the off-the-shelf and custom-built parts you need to make a secure solution. Rolling your own security system might sound fun and cheap; it is neither. Leave this sort of thing to people who have spent their careers studying this space.