Re: Public-key CD-KEY protocol (comments welcomed)

• Previous message: vedaal_at_hush.com: "Re: User interaction patterns as stego"
• Maybe in reply to: Mark Borgerding: "Re: Public-key CD-KEY protocol (comments welcomed)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 01 Feb 2004 16:01:43 GMT

I think there's a better way of handling your CD-key problem.

Simple. No ciphers needed. No multiple stages.

1. Generate completely random CD keys on a trusted off-line system.

2. Create a database of the hashes of each CD key. MD5 or SHA1 should do
nicely.

3. Copy the database to your on-line verification server.A sorted file
would work well too if you don't want to add a db.

4. To verify a CDkey, the ver. server just checks to see if the hash is
in its database. If the hash is present, then the key is good.

To add more CD-keys, simply repeat steps 1&2, then merge the database.

If the verification server is compromised, so what -- rebuild it? The
database is next to useless to an attacker.

The only thing he can do with the db is a dictionary attack. Since the
CDkey will have ~125 bits of entropy (base32,25 chars), this will
probably be a less economical way of getting CDkeys rather than just
buying them from you :) You could use salt to make an attackers life
even more difficult. But any multiplication of the attackers work would
also multiply your work, since you'd have to try all possible salts.

If you are really paranoid, you might even be able to fit the
verification server onto a bootable CD.

It is quite possible I've missed something, since I spent only as much
time thinking about it as it took to make breakfast. Let me know if
this works for you.

- Mark Borgerding

• Previous message: vedaal_at_hush.com: "Re: User interaction patterns as stego"
• Maybe in reply to: Mark Borgerding: "Re: Public-key CD-KEY protocol (comments welcomed)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]