1

In Windows would it be possible to protect data within a single program? I have been looking into CryptProtectData but whis is by user basis I would like something simular but on program basis. My program will have multiple users that require access to the same data, but the data is sentitive and I dont want any user to read it.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
thenail
  • 438
  • 1
  • 5
  • 10
  • You may need to be more specific in what you're trying to accomplish. – sarnold Mar 08 '11 at 11:53
  • "users that require access to the same data, but the data is sentitive and I dont want any user to read it." ???? what.. that doesnt make sence ???? P.S. make a server - client. separate them on different machines.. – Sigtran Mar 08 '11 at 11:54
  • Client -> server is not an alternative. I'm wondering if it's possible to restict file access to a single program instead of a single user.. – thenail Mar 08 '11 at 12:04
  • 1. You want users to have access to data. 2. You don't want users to be able to read the data. These two statements are incompatible. – Luke Mar 08 '11 at 12:43

3 Answers3

0

If your users do not have administrator privileges then what I would do is have your program create an account for its own purposes. When your program creates its data files, it would set the ACLs on those files so that the account it created is the only one with any access to those files. Whenever your program needed to read/write those files, it would need to temporarily login using its special account. The problem is then to keep the login credentials for that account secret. That's another problem entirely.

Ferruccio
  • 98,941
  • 38
  • 226
  • 299
0

CryptProtectData (indirectly) uses user's credentials to encrypt the data.

On Windows (as well as on most other general-purpose computer platforms) it is not possible to encrypt the data on per-application basis cause the computer belongs to users and the user is the master, not the application.

If you don't want the data to be accessible for the user (and other applications running under user's account), you need to move this data out of the computer, store it on the remote system and control user's access to this data.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
0

First of all, if your user has administrator privileges, there is no definite way to keep them out.

Second, even if they didn't, you'd have to implement part of your software at ring 0, so it would have a higher privilege than the user, which would make it harder for them to get access to the process' memory or executables. You could then encrypt your data and decrypt it when you serve it to the user.

If all of the above is not possible, you can employ the same obfuscation techniques that software developers use against cracking.

That usually comes down to preventing debugging or preventing patching. Some advice here: http://www.woodmann.com/crackz/Tutorials/Protect.htm