Data & Encryption Protection

Popular saying: What matters is the users data. As a goal this makes lots of sense; as a means this doesn’t work. Tamper proofing your CODE is exactly the missing piece to make it work, this is why:

You DO need encryption. You can use hardware support for encryption. But, to make encryption useful, you should tamper-proof your encryption code. Imagine a hacker attacking your server and setting breakpoints into the secure encryption procedure. The hacker won’t be able to break the encryption, but he will simply read the passwords out of the computers memory.

Almost certainly customers also need password management. In fact, password management is much more complex then the choice of an encryption algorithm. Unless a customer uses relatively simple password management, this is not too likely to be programmed in-house. Whether a simple or a complex password management is needed depends more on the application then on the security requirements.

Now it is becoming obvious: Use tamper-proofing for protecting the password management as well.