Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
Can the contents of the clipboard be encrypted?
For example, say that to circumvent keyloggers, users copy and paste passwords from an encrypted file, but now the password lives unencrypted in the clipboard. Is there a way to prevent this behavior without breaking copy/paste, or running some script function that scrambles the clipboard information.
If you need to supply the unencrypted password to a textfield in order to sign in, then nothing you do before that step can stop malicious users from reading the contents of that textbox. Since there needs to be a point in time where that plaintext string is sent to the textbox.
I think if you have a keylogger you have more important problems than encrypting passwords
To answer your question: It should be possible, but you'd need to dig quite deep into the Windows API for that.
To catch COPY events and encrypt the contents, you could use SetClipboardViewer to get notified of changed to the clipboard. Here is an example on how to do this with C#.
To catch PASTE events and decrypt the contents, you might need to globally hook to WM_PASTE messages.
As a side note: Once a keylogger/trojan/etc. managed to run on your system, it is no longer your system. Encrypting the clipboard or similar techniques don't protect your system, they might just raise the bar for the malware developer to get the information he wants (see Jean-Bernard's answer). Preventing evil code from running on your system in the first place is a much better approach.
If the clipboard information is persisted to the drive then whole disk encryption would do the trick (it sounds like that's the kind of stuff you want to do already anyway based on the question).
But encrypting what's in RAM isn't really an option. At some point the OS and applications read that memory and need to know what to do with it. It has to be unencrypted somewhere in the active hardware of the machine in order to be used.
You could certainly encrypt the data, copy it to the clipboard, and then in another instance of your app, paste it, decrypt it. But this is only useful if the source/destination agree on the encryption. i.e. written by the same guy. In that case, you'd be better off NOT using the clipboard, and setting up some sort of private data channel instead.
So while you can do it, it's not practical.
You could do that by encrypting your data for your application before the copy, but it really depends on the language you would use.
And decrypt on the paste, but again on your application. You can't do that for all your system; it would mean modifications on your OS...
I'm writing an application which implements copy-and-paste: therefore I use a system API to read data from the clipboard.
If I can't read unencrypted data then copy-and-paste is broken, but if I can then so could any other installed program (including a keylogger).
If someone has privileges to install a keylogger that has clipboard access, he most likely has privileges to get the decryption key of the clipboard as well. Cryptography is not a substitute for access control.
Related
I have been designing a system with some super careful cryptographic needs and decided that having the console app administrator type in a sensitive cryptographic password when the app calls for it might be the way to go in my use case.
I was reading that we do not want to store this password (cryptographic key) as a string because it remains immutable in memory and could be found by an attacker via a memory dump. I read that such keys should be a Buffer instead and should immediately be cleared after they are used by invoking bufferVal.fill(0).
However, I have not come across in my study any example of keyboard text going straight into a Buffer. The best I can tell, everything I have found is intermediate strings, which I am trying to avoid.
If someone could help me find a mechanism for a NodeJS console keyboard input going straight to a Buffer instead of a string, that would be great!
See point number 5 in this answer if you are interested in what brought my concern.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I am making an application using Node.js and Express. I am able to save files to the server using multer, however while sending responses I have two options,
Send the URI of the image in JSON, and let the front-end call this to display the image.
Send the image data using some form of encoding like Base64 as part of JSON.
Since I am new to web development, I am confused as to which option to use. Some people have said that the first option requires two API calls, so can be slow. While I have also heard that the second option will take up more memory resources.
What other things should I consider while choosing, and is there any other way of sending images to the client side?
Option 1
Is less complex since no conversion is needed. These 2 API calls won't slow you down. The image size is way more important!!.. The file can be stored/accessed directly on filesystem and served from there. Also a filedownload is implemented in a short period of time. Also the base64 encoding makes the file roughly ~33% (!!) bigger what has a huge impact on large files regarding performance.
Option 2
Base 64 is more secure as nobody can link to your website as described here .
You only need to use base64 for security reasons OR if you have to transfer the image data as string if you cannot transfer it as binary.
Use Case
If this is your private non-productive project just try out both and use the one you like. In the end you are learning something.. It's only important to stay consistent !
If one option fits better to you, just implement it the way you like. You can always refactor a given part of the application later when you may have more experience or when the core parts of your application are finished. Sometimes, after working a while with one of the techniques it gets more clear which approach to use.
For learning it's sometimes better to go ahead, and implement something what works
and start to refactor as problems occur. Rather than overengineering small
My embedded linux gets its data files from an external source (sd card). As this media is easily detachable I'd like to protect it in a certain way.
First idea that comes in mind is to do encryption. I'm afraid though this would take too much processing power. My files are not deeply sensitive, but I don't want that people can put the card into their desktop and see/copy my files. I assume these people know how to mount a standard ext4 drive.
Content is initially loaded on to the disk via a desktop linux box, so the process should be
I wouldn't care too much if the solution is not hack-proof. Basically I want to avoid to have my content copied by the general copycat.
I'm not looking for a turn-key solution, but like to get some pointers into the right direction.
A simple XOR Cipher requires very little processing. The security is limited in the sense that if someone has a both the encrypted and plain-text data, by XOR'ing the two the encryption key is revealed. However so long as you can avoid someone being knowingly in possession of both, and the key itself remains confidential, it may meet your requirements of simplicity and security.
Obviously you need a longer key that the simple 8 bit one in the example in the link. The key itself can be arbitrarily long with no impact on performance.
Does windows clipboard store copied Strings locally, or, as with files, does it only deal with pointers?
If it does, is it possible to modify the clipboard to make a logfile of all Strings that are routed through it?
I would imagine this could be a dangerous tool against people who hide high entropy passwords somewhere deep in their system (maybe encrypted) and then just copy paste them where needed.
It's certainly possible -- there are plenty of commercial keyloggers (this one, for example) that can log text copied to the clipboard.
You're absolutely right that this is a security risk.
Yes, it looks like you can actually log everything that goes through the clipboard with the AddClipboardFormatListener API call: relevant SO question here. Simply pass the handle of your window in as the only parameter. The SetClipboardViewer function will also work for older versions of Windows.
This is certainly a security risk.
This Microsoft forum suggests that the clipboard is stored entirely in memory, and this part of MSDN talks about receiving a global memory handle on the clipboard.
I saw allot of companies offering exe wrappers , but is there any in pdf side security programmatically ?
Well, you can encrypt the PDF. You can also use custom encryption handler and thus make your file unreadable with stock Acrobat or Reader (one will need to install your decryption plugin to Acrobat or Reader to make them understand your encryption). The problem is acrobat's DRM SDK (the one that allow you create encryption plugins) once had enormous cost (smth. like $25K to start). I don't know if this is still the case, though.
Another not-so-bad option is render everything to graphics - this makes text copying harder (though one can print everything and OCR it back).
The short answer is no. When you give someone the ciphertext, key, and cipher they will always be able to reproduce the plaintext. DRM fails universally for just this reason.
The long answer is that you can sometimes try little gimmicky tricks to prevent copying in some circumstances which may "work" if your audience doesn't try breaking it, but not in the general case. You can't really call something secure which is "safe as long as nobody tries to break it".
The PDF format itself has an "owner password" which allows the author to disallow readers from printing the document, modifying it, etc... Of course there's not actually any mechanism for preventing anyone from doing so. If you are trying to prevent the guys in the marketing department from printing it off or something, then maybe. But if you're releasing it out into the Internet, just assume that it can and will be copied however users see fit.