So my problem, in its general form, is encrypting test questions such that a cli

Question

So my problem, in its general form, is encrypting test questions such that a client-side testing application can access the questions while students cannot. The naive approach, in my opinion, is to use a symmetric key algorithm, with the key hard-coded within the application, to encrypt and decrypt the questions. The problem of course being that any student with some security savvy could recover the key.

Assuming that a server-based approach is not viable (no internet connectivity), is there a way to secure questions in this scenario such that the application can decrypt them, students cannot, and the key is not stored within the application? I suspect I know the answer, but I would like to hear from those more knowledgeable than myself.

Explanation / Answer

No, you cannot secure data completely if the user has total control of the system and its hardware (and possibly a lot of money; attacking hardware can get quite expensive).

If this is just to prevent cheating, hardcoding the encryption key in an obfuscated manner (so that strings doesn't find it) should be enough though (any student breaking that probably deserves a good grade anyways).

If you are handing out the hardware along with the software (how else would you pass it to the students without internet?) you could go with the approach suggested by raz: encrypt the data with a key based on the computers hardware (eg by adding a PUF to the hardware; but again, access to the hardware means that this can be broken).

You could also look into trusted computing, which tries to achieve what you want (but still, complete access to the hardware means that it can be bypassed with enough money and time).

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.