This is a classic FAQ (it is in the very old crypto FAQ), but I will give a more detailed explanation of the standard answer.
This is impossible! Once you give any user a password to the file, then he can secretly share it with other people with the same CD (because nothing on the CD can be different). Adding "online checks" and other such things will not help, because at some point the decryption program run by the legitimate user must end up with the actual decryption key for the document and that can then be shared. Or they can simply share the decrypted document itself and be done with it. This is what some people call DRM, and it never does anything good for anyone except the companies that sell it to document owners. However if you trust the people you give the decryption key and accept the risk that there is no technical way to prevent them from sharing the document without permission (you could still have a contract that will make it very unpleasant if you catch them), then any regular file encryption will do. Good candidates: PGP/GPG in file encryption mode (not the normal public/private key modes) openssl enc command line tool with a long random password made using openssl rand. No point in doing "double AES" or similar stuff, when stealing the key or the decrypted document is so much easier than breaking the encryption. On 11/2/2011 1:27 PM, Joe Flowers wrote:
Hello Everyone, I would like recommendations and suggestions for encrypting a document on a distributed CD. I would like someone to be able to open and read the document only if they have a "password" or secret string or other(?). I understand there is a limit to how secure this really is, but I would like it to be reasonably secure for what it is, and that's why I'm asking the question here. Down the same lines, I'm wondering if something like AES-256 should be used with several "rounds" (encrypting the encrypted data N times) to help prevent (slow down) an exhaustive attack? How is something like this usually done? Any suggestions/recommendations inside or outside the box? It would also be nice if a common, widely available unencrypting tool could be easily used to unencrypt the document if the secret string is known. Thanks! joe.flow...@nofreewill.com -------
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
