PDA

View Full Version : Installing Secure Data (Encryption)



murraymc
01-21-2005, 06:54 AM
I write software & installers for a company whos product includes data sold in discreet packages. The installer contains all the data and, based on a licence key, a subset of the data can be installed onto the client system.

We still use InstallScript installers as the data in the installer is encrypted and cannot be (easily) accessed by clients. As I understand it with Windows Installer installs it is possible to open the installer and access the content.

Is this correct or is there some way to ensure the data is encrypted in the installer? I can write my own encryption engine to decrypt the data on install but this can run to a couple of Gigabytes of everything from Access Databases and text files to GIS mapping data and Folio electronic books so the decrypt process on the client would not be trivial.

Any help/advice would be greatly appreciated as we are soon going to release a number of new products and upgrade the installers on all the old (ISPro 5.5/6.3) products and I would like to move them all to MSI 3 under IS 10.5.

Murray

LewisQ
01-21-2005, 10:45 AM
Not sure I understood the question completely...

Anyway, here are some points for you:

- MSI files can be open very easily by tools such as IS, ORCA or even by creating a .Net app the access the MSI.Dll via COM Interop.

- Once the MSI Databas eis open, you can browse thru all tables.

- Binary data such as files can be streamed out of the MSI.

- Files in CAB files can be easily taken out of the cab.

For my clients that require encryption, I wrote an encryption/decryption engine using very strong encryption so even if some extract the files, they end up with nothing useful to them.

In my experience with several clients, many were surprised how easy is to "mess" with MSIs...

Christopher Painter
01-22-2005, 09:49 AM
MSI was designe that way on purpose to support the requirements of SysAdmins and make the lower TCO argument for Windows 2000 migrations. It seems MS was touting all the benefits to MIS departs while pratically ( for me at least ) shoving MSI down the throats of setup developers who were perfectly happy using existing installation technologies.

From the installs that I've picked apart I've seen that usually when a vendor wants something to be secret moving business rules and even enabling resource data into DLL custom actions similar to how LewisQ described.

murraymc
01-24-2005, 05:27 AM
I suspected as much. I guess I will have to finish the Compression DLL I started last year to use as Encryption. :rolleyes:

M

Christopher Painter
01-24-2005, 08:30 AM
InstallShield was purchased by Macrovision, a company (in)famous for their anti-piracy technologies. You might want to check with them on a system like SafeDisc or something and see what it would cost vs your development time to do it yourself.