How to protect my file from sending to skype or upload to cPanel

Question

I'm programming an application in my company, and there is a file watcher:

fsw.NotifyFilter = (NotifyFilters.Security Or NotifyFilters.LastAccess Or NotifyFilters.LastWrite)

AddHandler fsw.Changed, New FileSystemEventHandler(AddressOf OnChanged) 

AddHandler fsw.Created, AddressOf OnChanged

AddHandler fsw.Renamed, AddressOf OnRenamed

AddHandler fsw.Deleted, AddressOf OnChanged

But I want to protect some files from users by send it in skype, messanger oruploading it to any cloud.

Ex. I have an dgg file it open with dogland.exe, I want to make this .dgg extension to just with this app and encrypt and protect it from other programs to read this file.

What is the best way to protect this file? I'm using vb.net, 4.6.1

Answer 1

You're not going to be able to stop a user with admin rights on their machine from sending a file if they want to, so you're right that the answer is to make it useless elsewhere.

Before answering your question, I want to address two key points:

1. Security comes in different levels. When it comes to information security, the level of protection you achieve corresponds with how much work you put into it;
2. You cannot not stop a skilled, determined attacker, because there is always a weakness somewhere. All you can do is making their job harder. You must decide what risk profile you're willing to assume and the level of effort that is warranted.

That said, the absolute simplest method is symmetric encryption, where your program uses the same key to both encrypt and decrypt. This is vulnerable to someone examining your code and retrieving the key, but it will stop most casual attempts.

To try it, put this in the main form:

    Private Function Encrypt3DES(plainText As String, pw As String) As String
        Dim wrapper As New Simple3Des(pw)
        Dim cipherText As String = wrapper.EncryptData(plainText)
        Return cipherText
    End Function

    Private Function Decrypt3DES(cipherText As String, pw As String, ByRef plainText As String) As Boolean
        Dim wrapper As New Simple3Des(pw)
        ' DecryptData throws if the wrong password is used.
        Try
            plainText = wrapper.DecryptData(cipherText)
            Return True
        Catch ex As System.Security.Cryptography.CryptographicException
            Return False
        End Try
    End Function

And this goes in a helper module:

Imports System.Security.Cryptography
Public NotInheritable Class Simple3Des
    Private TripleDes As New TripleDESCryptoServiceProvider
    Sub New(ByVal key As String)
        ' Initialize the crypto provider.
        TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
        TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
    End Sub
    Private Function TruncateHash(
    ByVal key As String,
    ByVal length As Integer) As Byte()

        Dim sha1 As New SHA1CryptoServiceProvider

        ' Hash the key.
        Dim keyBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(key)
        Dim hash() As Byte = sha1.ComputeHash(keyBytes)

        ' Truncate or pad the hash.
        ReDim Preserve hash(length - 1)
        Return hash
    End Function
    Public Function EncryptData(
    ByVal plaintext As String) As String

        ' Convert the plaintext string to a byte array.
        Dim plaintextBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(plaintext)

        ' Create the stream.
        Dim ms As New System.IO.MemoryStream
        ' Create the encoder to write to the stream.
        Dim encStream As New CryptoStream(ms,
            TripleDes.CreateEncryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
        encStream.FlushFinalBlock()

        ' Convert the encrypted stream to a printable string.
        Return Convert.ToBase64String(ms.ToArray)
    End Function
    Public Function DecryptData(
    ByVal encryptedtext As String) As String
        Try
            ' Convert the encrypted text string to a byte array.
            Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)

        ' Create the stream.
        Dim ms As New System.IO.MemoryStream
        ' Create the decoder to write to the stream.
        Dim decStream As New CryptoStream(ms,
            TripleDes.CreateDecryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
        decStream.FlushFinalBlock()

            ' Convert the plaintext stream to a string.
            Return System.Text.Encoding.Unicode.GetString(ms.ToArray)

        Catch ex As Exception
            Return ""
        End Try
    End Function
End Class

To implement the above code, just call the encrypt method on your data before writing it to your file:

Dim encdata = Encrypt3DES(PlainTextStringToEncrypt, password)
' Write encdata to file...

And you invoke Decrypt3DES to decrypt the data after you load it from your file:

Dim DecodedData as string = ""
If Decrypt3DES(EncryptedData, Password, DecodedData) = True Then
    'Do something with DecodedData
End If

This is probably the simplest solution, but the word 'best' is relative in information security. You need to tailor your level of effort to the value of the information that you are trying to protect and the risk profile of having it exposed. You can do either too much or too little.

You could make this method stronger by not storing the encryption key locally but retrieving it at runtime from a server and clearing it from memory immediately after use. Or, you can encrypt the encryption password, so the actual password itself isn't visible in a disassembler and extra work is needed to get it. There are a thousand things you could do - hopefully this give you a starting point.

If you wanted to get more advanced, you could look into certificate-based signing and/or server-based controls that the user has no access to manipulate. It's all a question of how much the information is worth protecting.

DISCLAIMER: I don't warrant this to be fit for any particular purpose. This may or may not be suitable for your needs. Do your own research and ensure that any security mechanisms are fit for your purpose.