File validity and authenticity
Community Forums/General Help/File validity and authenticity
| ||
| Hiya all. My project writes files to a DVD disc, and the files need authentication. I'm using sha256 to hash the file itself and I write that file to disc too. My question for help what's the best way to make sure that the file and hash are genuine. After all someone could modify the file, generate a new sha256 and burn them to the disc. I suppose I use the hash to encrypt another value but I'm fumbling about a bit. I'm a genuine newbie when it comes to this kind of thing and I'm more than willing to put the hours in studying it, I just need a good direction to start toward. Cheers all. |
| ||
| There's nothing to stop you from adding a bit of post-processing to it - even something as simple as swapping bytes around in a specific order so you've got something a little more bespoke, instead of a straight SHA256 hash. You could even process the returned value (or part of it) repeatedly with SHA256, MD5, SHA1 etc. Unless somebody knows how you did it, it'd be extremely difficult if not impossible to duplicate. |
| ||
| Of course! Why didn't I think of that. So simple. I guess I was thinking of some highly cryptic algorithm that should be used and I forgot about the golden rule - KISS. Thanks! |
| ||
| There's more... ( which I didn't make clear earlier ) The pc that generates the files will be with the customer - ie we sell the machines and software to third party customers so they are 'out in the wild'. Technically speaking it would be easy to disassemble and see what's going on. I don't mind this and understand its as good as impossible to stop it, but this is where the authentication would come in. The scenario is... The machine and software write files to a dvd ( audio and video recorder ). I hash the file(s) using sha256 and save that hash on the dvd too. But, anyone else can do the same, ie write their own files and create hashes of those files, burn them to a disc and call them the genuine article. So I need some way so that if someone asks us to verify the contents of the disc then we and only we can verify it. I've seen something similar using a PGP signature, but I don't understand how it worked. Remember these machines are with the customer and out of our site. I think I've repeated myself a little there trying to get my problem across. |
| ||
| we sell the machines and software to third party customers so they are 'out in the wild' So the machine and the software is bound together somehow. Couldn't you do what a lot of other vendors do and use the unique MAC address of the pc's network card as key for the algo. Read the MAC and do some magic and check with the key you provide if it fits... That way you protect the software and that it does run only on that machine and cannot be used on several other machine (if that is important). |
| ||
| I already do several of these to 'lock' the software to the hardware. one of them is I wrote the burn-to-disc code as a separate process that's encrypted and decrypted using a unique hardware key. The exe is 'hard-encrypted' by me on site. The 'de-crypted' and run as the application is running. Again this 'could' be compromised as the dvd is burning ( by memory process scanning ), but I've made it as much as a pain in the back side to do as possible. The problem now is generating some way to authenticate a video thats been burned to a dvd as proof that the video hasn't been altered and re-authored. Anything I do in the software can easily be reverse-engineered. All that I need to do is handle the situation when the customer comes to us with a disc and asks us to verfify that the audio/video on the disc is in fact genuine. I also put a watermark in the video file - which again under analysis could be duplicated. Do you think something like what I'm trying to do even possible? |
| ||
| Depending on the video format, you may hide an unrecognizable, encrypted watermark eg. in the least significant bits of rgb, that would then result in slight noise and could be verfied only with a long key that exists only at your company. But that would require lossless video. Maybe in the audio, as pcm. Edit - of course, this could also be reverse engineered, as long as the code is running on the same machine. |
| ||
| I'm not sure if this may help fire up some ideas or not... I've just looked more closely at an audio only cd disc produced by a completely machine made by a different department. There is an/the audio file(s) and a sha1 hash for each audio file. Also there is a plain text file with some information about the date, time audio length and also the filename names and hash values for each file saved as a .manifest ( nothing to do windows manifest files, its just a filename extension ). This information file has another file with same name but a different extension ( .sig ) that's a plain text file that contains just a pgp key. I assume somehow the key can be used to verify at a later time if the datas are genuine? But I don't understand how this could so? Any ideas? Thanks |
   |