1

I have a small amount of structured data and I need to accomplish three tasks:

  1. Save/retrieve data to/from hard disk or USB pen
  2. Have a "portable" app (nothing to install on pc other than framework)
  3. Secure data

Which is the best way to reach my goal? I think that, beeing structured data, I could/should use a database... but which one?
MySql is free and really fast but needs to be installed... discarded.
MsSql/Oracle have the same problem, so they can't be used.
Maybe SQLite? Well, this could be a good option: nothing to install, a single file that can be encrypted too using a byte array or a string as password.
And what about XML? It's easy to use, just a single file that could be encrypted too... but the question is how? Using AES? 3DES? Or simply storing XML stream in a ZIP/7Z file protected with a long password?
I know nothing can be completely sure (today we have GPUs and cloud computing to break protections and passwords), but how can I create a really secure archive easy to use and portable?
Which is the most secure way? Why?
Thanks

Marco
  • 56,740
  • 14
  • 129
  • 152

4 Answers4

1

XML is a cross-platform, non-proprietary way of storing information. Data stored in XML format can be read by almost any modern operating system, and requires very little software to be stored on the USB drive, and should never require the installation of any 3rd party software. AES is usually secure enough, as long as it's salted.

bbosak
  • 5,353
  • 7
  • 42
  • 60
  • Thanks @IDWMaster. So in your opinion XML/AES could be the better way? Do you think is more secure than SQLite protected by password? – Marco Apr 14 '11 at 21:47
  • Neither is necessarily more secure (as both are serialized into an array of bytes, then the array of bytes is encrypted in both methods), but in my experience, raw XML usually parses faster than an SQL database, in the case of small amounts of structured data. – bbosak Apr 14 '11 at 22:50
  • In addition, XML is also a standard format, and is guaranteed to work on almost any operating system. – bbosak Apr 14 '11 at 22:52
  • I've just red this [article](http://dotnetslackers.com/articles/xml/XMLEncryption.aspx) and this seems to be a nice way to go: encrypt the whole xml doc with a symmetric session key and encrypt this with the public part of an asymmetric key. Sounds good and it's all done with framework 2.0 (so, probalby portable in Mono too) – Marco Apr 14 '11 at 23:17
1

Whatever data is easy for you to parse. XML and SQLite are both good choices. Use whichever one better suits your purpose and make sure you encrypt it well. SQLite is good if your data fits a relational model well -- tables, columns, rows -- and XML is a good choice if you want to store hierarchical data. Which encryption algorithm you choose again depends on the application -- how much security you need as well as what has better library support for your language of choice. Either XML or SQLite will only be as secure as the encryption you use.

There are some off-the-shelf SQLite encryption products, but none of them are free AFAICT. Probably the best solution is SQLite Encryption Extension, which is written by the author of SQLite himself, but it costs ($2000). You can probably roll your own, but it won't be as clean. I also believe that if you're using .NET then I believe you can get some free password protection from the .NET libraries (see Password Protect a SQLite DB. Is it possible?).

Edit: after a bit more research, I've turned a good list of SQLite wrappers that says which ones support encryption. Choose based on language and personal preference.

Community
  • 1
  • 1
Rafe Kettler
  • 75,757
  • 21
  • 156
  • 151
0

http://www.safehousesoftware.com/SafeHouseExplorerU3.aspx

There is software which allows you to encrypt part of you usb key.

Marcin
  • 1,429
  • 8
  • 16
  • But I need to store my archive into hdd too... Anyway thanks for your suggestion – Marco Apr 14 '11 at 21:24
  • Yes, but in my app I should "open" truecrypt archive? How can I do that? – Marco Apr 14 '11 at 21:30
  • As far as I know truecrypt gives you ability to create virtual folder in seamless way. When you access it for a first time, password prompt will appear. – Marcin Apr 14 '11 at 21:37
  • Thanks @Marcin, but I need something "builtin": I don't want to install TrueCrypt on every dest pc and I don't want to have windows out of my app (e.g. password prompt) – Marco Apr 14 '11 at 21:44
0

I think the easiest way is to use the System.Data.Sqlite wrapper around the Sqlite database. Encrypting the database is very easy: all you do is set the password property to your key string. They discuss how they use the Microsoft Crypto API and RC4 algorithm in their forum.

You get the advantage of a SQL database, an ADO.Net interface, single-file database, and a single DLL in your project. It couldn't be easier, even if all you're doing is storing XML strings in your database.

Ed Power
  • 8,310
  • 3
  • 36
  • 42