Re: How do I store secrets?

Y.A.Geek
Date: 07/06/04


Date: Tue, 6 Jul 2004 02:58:50 -0700

How true :-|

"Michael Giagnocavo [MVP]" <mggUNSPAM@atrevido.net> wrote in message
news:OEZ0yQxYEHA.3844@TK2MSFTNGP10.phx.gbl...
> This still only increases the effort required, and the design is still
> fundamentally insecure. I've yet to see *any* licensing system work
against
> a moderately interested cracker. This goes for even the really expensive
> systems (FlexLM for instance) that were used on high-end software like
Maya
> (back when it cost $50K a license). Some of those weren't even just
cracked,
> they were robustly broken (in fact, I seem to remember about 6 years ago,
> seeing a general-purpose tool that could generate licenses on the fly for
> any FlexLM app, not just a specific cracked version).
>
> -mike
> MVP
>
> "Jonathan Pierce" <jpierce@nyc.rr.com> wrote in message
> news:3d0f5457.0407050955.54c074e2@posting.google.com...
> > "Danny van Kasteel" <DannyvanKasteel@discussions.microsoft.com> wrote in
> > message news:<B382D868-2469-4831-92A5-31BAA6A37AB6@microsoft.com>...
> >> Hi,
> >>
> >> I have encountered a scenario where a segment of VB.Net client CODE
needs
> >> to digitally sign evidence of a performed action for sending to a
server,
> >> which then verifies the signature and performs an action on behalf of
the
> >> client.
> >>
> >> To illustrate the problem:
> >> I need code to authenticate a user by means of, for example,
biometrics.
> >> The result of this authentication needs to be placed in an "evidence
bag"
> >> so to speak, which is then signed, sealed and delivered to a server.
The
> >> server absolutely MUST be able to rely on the fact that the "evidence
> >> bag" was signed by MY software.
> >>
> >>
> > Hi Danny,
> >
> > Perhaps you could change your example slightly so that your client
> > software verifies its own identity before sending the request. You
> > could then generate the keypair on the server and distribute the
> > public key only as an embedded resource in your client software, that
> > your client software uses to verify the identity of any signed
> > payloads that you have precreated and preauthorized using their
> > embedded signature presigned by your server. You could use XML digital
> > signatures to accomplish this. We use technique for our license
> > enforcement where we sign license requests containing hardware
> > specific, product specific, and date specific xml signed license info.
> >
> > You probably also want to make sure that your client code is either
> > native or obfuscated and possible also encrypted. We sell two products
> > to address these needs, Decompiler.NET and Deploy.NET that you can try
> > by downloading free versions of them from our web site at
> > http://www.junglecreatures.com/
> >
> > If this sounds appropriate to meet your needs, you can see an example
> > in the following article:
> >
> > http://www.codeproject.com/dotnet/xmldsiglic.asp
> >
> > Jonathan Pierce
> > Jungle Creatures, Inc.
> > http://www.junglecreatures.com/
>
>



Relevant Pages

  • Re: How do I store secrets?
    ... a moderately interested cracker. ... (back when it cost $50K a license). ... >> I have encountered a scenario where a segment of VB.Net client CODE needs ... >> so to speak, which is then signed, sealed and delivered to a server. ...
    (microsoft.public.dotnet.security)
  • RE: Hacked NT/2K box
    ... Subject: Hacked NT/2K box ... Terminal Services is typically accessed via IP over the ... but the cracker installed it ... I take it the server in question was in a DMZ-like network segment. ...
    (Focus-Microsoft)
  • RE: Hacked NT/2K box
    ... Subject: Hacked NT/2K box ... Terminal Services is typically accessed via IP over the ... but the cracker installed it ... I take it the server in question was in a DMZ-like network segment. ...
    (Focus-Microsoft)
  • RE: Hacked NT/2K box
    ... supposed to server between 1-2 million pages. ... Armed with a restricted user account and password, the cracker begin rooting ... in full Administrator context at next Administrator login. ... This also led to the compromise in part f. ...
    (Focus-Microsoft)
  • Re: SOS Trojan Attack
    ... server, there is no network, just Internet connections through modem, ... It's most likely a "script kiddie" running an automated cracker. ... Being on a modem connection is no excuse at all for not keeping your debian ... Can't you leave your connection running (getting updates) overnight while ...
    (comp.security.unix)