How to password protect files on distribution CD

[rainny]

Hi

We have developed some software and we want to ship them on CD in encrypted form to our customers. Then we want to give them some keys to decrypt the software. We should be able to generate the passwords for our customers. We might want to put further restrictions on encryption and authorization in the future but not now.

What software do I need to use for this? If this is irrelevant to this
group, please point me to the correct one.

Thank you
Rainny

 

[Guest_imported]

Chiph - You bring an interesting point. There are many key loggers out there, and programs that can basically spy on your system. Most of you have heard of ad-aware,

http://www.lavasoftusa.com,

this program will eliminate ad spyware, which will eliminate the spyware which sends information about your computer out.
The problem is, ad spyware is nothing like keyloggers, screen shot takers, message loggers, etc. which is software spyware. This spyware can catch anything, see anything, and transmit it to anyone. Hackers can put this on your software, and in no time figure out who all your buddies in your instant message list are, see your address book, find out all your passwords, and much more. This is what you (Chiph) are refering to in the step one portion of your PGP crack methods.
The problem is, no one knows if this software is on their machine, so companies are starting to create full blown anti-spyware applications which detect this type of spyware. SpyCop is a program which will eliminate over 206 forms of spyware, and the list grows very often. So most of those keyloggers that you refer to, can be detected by this program. Here is the link if you are interested,

http://spycop.sidetracknet.com.

I would check out the spyware safety.
Your second method, no software can stop that, only parinoid people who will start looking out their window for suspicious vehicles every 10 minutes will find people using that method. I don't know a link to a site so you can hire someone to do that, sorry.
Method 3, very effective, has been done, has gotten people arrested. One kid at a university wrote a screen saver which actually was supposed to analyze data, but it was really sending out every file on your computer to them. It did it in small packets at a time so your Internet connection wouldn't slow down too much. This kid received thousands of files, but was eventually caught. Just watch out for screen savers, people do write them to do this.
Method 4, if you set your password to include numbers and letters, getting lucky would really be luck. If you know a list of passwords or find a list of passwords the user uses, well, then you are pretty darn lucky.
Method 5, I hope no one is that desperate to crack a code, lets just leave it at that.


Alt255, you bring an interesting point. Not a single person has a government rated super computer on their desk. Super computers these days can reach terahertz, and are extremely fast. They work through algorthims, and actually try and use brute force on passwords. Brute force with a modern desktop computer, if the password has no numbers, can take 1 minute to an hour. Brute force on a super computer with a password with no numbers will take less than a second.

Now, what happens when there are numbers, that is when you NEED a super computer. What the super computers do is just run non-stop algorithms which start with A, goes to Z, then does 1-9, then does, AA, AB, AC, AD, etc. This will take a super computer no time if the password is 7 digits. If you have something incredibly secret, I would use a password which is over 12 letters and numbers.

The point is, super computers really can crack just about anything that has a password unlock method. But lets take Chiphs key, if you have that, and you do not have anyway to enter a password to decrypt it or anything, I don't care how fast a computer is, it will take forever to decrypt it, and may be impossible, depending on the algorithm.

 

[chiph]

Good post, PenguinShill.

Your point about the screensavers and spyware is a valid one. Heard about another piece of spyware on Slashdot the other day that no one seems to know where it came from -- a sub-sub-sub-contractor apparently wrote it. Look on your system for vx2.dll.

But what I meant about screensavers was more in line of the distributed computing efforts like SETI, where you write a really cool screensaver, hand it out freely, tell people they're helping find a cure for cancer or something, when in fact it's trying to find a passphrase.

My challenge to hnd was a bit of a red-herring, I'm afraid. The public/private keys have nothing to do with the passphrase. The passphrase is the key to a symmetric cypher using to secure your private keyring. So, there's no way, given a public key, to extract a passphrase, since the two aren't related.

Have a great weekend.
Chip H.