On 20 Feb 2011, at 11:28am, Roger Binns wrote: > And if your customers care then they will already have existing solutions > for encryption and protection which includes dealing with incapacitation of > users, system administration, backups etc. It is not a good idea to defeat > those.
And given the actual situation that Robert is writing for, there's a very high chance that someone somewhere will write their password down. Any time someone starts talking about the strength of AES-256 outside a need-entry-only environment I suspect that time's being wasted. Yes absolutely: security experts have to understand encryption strength and common faults in the use of encryption. But whoever cracks this system isn't going to do it by running a brute-force combinatoric attack. You could write the data to a pen drive rather than the hard disk, and let the teacher carry it in a pocket or purse. That would be more secure than leaving the data file on a desktop computer in a school. If there's any chance the teacher will type their password in while students are in the room, you've pretty-much blown your security: all it takes is a mobile phone with video recording pointing at the teacher and someone can watch shoulder and arm movements. Or even just dust the keyboard soon after a login and find out which keys are most greasy. Or dust the keyboard before a login and find which keys don't have dust on any more. If the teacher has their back to a window, have someone shoulder-surf them from outside the window. Or look at the reflection in the window. It all depends on how much advantage there is to cracking that data. If the students can change their marks, that would be worth cracking. If the system is just used to arrange who gets which lunch-shift, there's less chance anyone will bother. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
