Andreas Beck <becka@bedatec.de> writes: > 2) If 1) cannot be done for some reason, use _strong_ encryption to > _encrypt_ the data. XORing them with "wrdlbrmft" will just make an > attacker laugh, assuming he is just a bit smarter than a piece of wood. > Never just obfuscate the passwords by using a generic key. Even if > the app picks one individual key at installation time, it has to be > stored somewhere and when you can retrieve the file, chances are, that > you can as well retrieve the stored key. A more important argument against the application picking a random key at installation time is that if it gets lost (e.g. due to disk or registry corruption), the user's data is gone (which could have serious results in cases such as tax programs). Any secret required to decrypt the data should be supplied by the user so that they can take whatever steps are appropriate to make sure it doesn't get lost. > IMHIO obfuscating data serves only one purpose: Not giving away Information > to someone _briefly_ _viewing_ over the file. That's o.k. to keep the > sysadmin from the temptation to hit a user that picks a weak or offensive > password with a wet haddock. It's as well o.k. to guard a password against > a coworker that happened to look over your shoulder when you opened the > wrong file. But it is NOT o.k., if an attacker can retrieve the file and > play around with it all day. Obfuscation should never be encouraged over encryption, but obfuscation is certainly better than nothing (cleartext). Your comparison ignores the fact that the vast majority of people stumbling across someone's tax return on a file sharing network would have neither the inclination nor the ability to write or find software capable of de-obfuscation. Naturally true encryption is greatly desired just in case a true attacker _is_ out there, but obfuscation will certainly protect against that 99.x% of the population that _could_ download your tax return if they wanted to, but won't (or won't figure out how to get the obfuscated info out of it if they do). -- Dan Harkless bugtraq@harkless.org http://harkless.org/dan/
