1

I have written an R package that connects to some services requiring username and password.

I want to avoid typing my username and password every time, so I have my package read them from a file encrypted using AES (I use the digest package in a way similar to the answer to this question: How do I read an encrypted file from disk with R)

The AES key is generated when a user installs the package and it is used to encrypt and decrypt the users credentials.

This way the users only need to insert their credentials once at the moment of installation and then do not need to write them in any place in the code.

However if somebody gets access to their laptop, it is very easy for him to decrypt the credentials using the key generated by my package.

Is there any way I can protect the key (possibly in a cross-platform manner, since the package has to be used in Windows, Linux and Mac)?

Community
  • 1
  • 1
lucacerone
  • 9,859
  • 13
  • 52
  • 80
  • IMO you cannot solve physical-access security problems with software. – daroczig Apr 12 '15 at 19:28
  • @daroczig thanks! the fact is that if you have your code in an environment with multiple users, then whoever (sudoers at least) can go and read your credentials. However if the key were encrypted by using the OS keyring, one should be able to avoid this issue. – lucacerone Apr 12 '15 at 21:11
  • Oh, I see, thanks for the more details @lucacerone. I don't think there is an OS-independent way of using the keyring (which can be even different on the same Linux distribution based on what DE is the default). A package that interact with these keyrings is theoretically possible to implement, but I have not seen any even in other programming languages. Will keep an eye on this topic, would be great to find a solution. – daroczig Apr 12 '15 at 21:37
  • Hi would even accept a platform dependent solution.. – lucacerone Apr 13 '15 at 21:00
  • Then why not using something like this: https://launchpad.net/gkeyring You can write the wrappers in R around that very easily. – daroczig Apr 13 '15 at 21:07
  • that fixes it for linux (if they have gnome), what about mac and windows? – lucacerone Apr 13 '15 at 21:12
  • Not sure, you wrote 42 mins ago that "would even accept a platform dependent solution" :) – daroczig Apr 13 '15 at 21:44
  • Yes :) but I still need a solution for each platform :) – lucacerone Apr 13 '15 at 21:48

1 Answers1

0

The best way to protect encryption keys are Hardware Security Modules like Thales PayShield / nCipher or SafeNet PSO / PSW / Luna, etc... The Key Encryption Keys (KEK) are stored on separate devices and in OS you just keeping cryptograms, keys encrypted under secret key to which you can not get any access (such devices are strongly secured from "intrusion"), The code to use such devices you can write on Java or Python for example, it will make your software OS independent. But it costs some money :)

Juris Lacis
  • 132
  • 3