Re: PKI confusion...
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Aug 2006 14:41:47 -0500
Remember that signing is similar to encrypting the hash with the private key
so that it can be decrypted with the public key, so if you just need to
encrypt the hash, then perhaps signing gets you close. There may also be a
way you can trick it into signing a hash that is actually a symmetric key in
order to do some sort of bulk encryption.
You really don't want to be thinking in terms of encrypting with the private
key though. It is bad usage and gets you into trouble. This is one of the
reasons MS goes out of their way to prevent you from doing this (there are
also historical legal reasons having to do with export laws). Other crypto
libraries will let you run off and do this, but MS tries to not let you hang
yourself (this time anyway).
It might be beneficial to engage Valery Pryamikov in this discussion as
well, as he knows all the theory and is an expert on licensing and
protecting code assets as well.
http://www.harper.no/valery/
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ray Cassick (Home)" <rcassickNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:uOyKKLFzGHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uFocnaAzGHA.772@xxxxxxxxxxxxxxxxxxxxxxx
From a cryptography standpoint, you want to always use the private key
for either decrypting data encrypted with the public key or signing data.
In your case, you should be thinking in terms of signing.
We are also looking into signing as well. Thanks.
From a licensing standpoint, I think a lot of the readers of this group
would suggest that rolling your own licensing system is hard to do and
easy to get wrong, and that you'll be better off using a commercial
licensing program. Also know that most licensing systems are easily
cracked by someone who knows what they are doing, so make sure you set
your expectations appropriately about how much protection this will
really give you. If you are thinking in terms of keeping the honest guys
honest, you'll probably be ok.
Thanks for the comments here, and if I was just setting out to build and
use a licensing package I would most likely go that route (buy vs. build)
but I am also looking to market this package as a separate SDK to other
developers. Without giving away any deatils here I think we have some
interesting ideas that can add some significant value to the licensing
market. This is the only reason we are working this project from the
ground up.
We have a prototpye build but it uses symetric encryption right now and
testing has shown that witht he way .NET is, even with obfuscated code,
this opens us up more than we want. We thought that using an asymetric
scheme we would be able to release a key that would allow decrpytion only
while keeping the encryption key safe. Seems not to be the case I guess.
.
- Follow-Ups:
- Re: PKI confusion...
- From: Valery Pryamikov
- Re: PKI confusion...
- References:
- PKI confusion...
- From: Ray Cassick \(Home\)
- Re: PKI confusion...
- From: Joe Kaplan
- Re: PKI confusion...
- From: Ray Cassick \(Home\)
- PKI confusion...
- Prev by Date: Re: Client certificate error with web services
- Next by Date: Re: ASP.NET Cookie Handling
- Previous by thread: Re: PKI confusion...
- Next by thread: Re: PKI confusion...
- Index(es):
Relevant Pages
|
