Re: RSA question
- From: gordonb.u9hvj@xxxxxxxxxxx (Gordon Burditt)
- Date: Sat, 21 Feb 2009 15:56:14 -0600
I'm no expert, but the obvious security issue I see is that if you
encrypt something which can be decrypted using a public key, then
*anyone* with access to that public key can decrypt it.
That's the whole point: only the holder of the private key can
create such a signed message, but anyone can verify it. The message
is something like "you're an authorized copy" vs. "you're a 30-day
demo copy" vs. "only parts A, B, Q, and Z are paid for".
One of the points here is that you don't want to embed a private key
in the software, as that will permit someone who finds it to write
their own license key generator. That's a lot more devastating than
a little key-sharing.
You originally said you wanted to send "software licences". I assume by
this you mean code numbers that unlock software you're selling and allow
it to be installed. I assume you want to encrypt these licence codes so
that people who have not paid for the software cannot install it. Right?
A license code scheme generally wants the author to *SIGN* license
keys, so the software (which has the public key embedded into it)
can verify that it's an authentic license key. Sometimes,
customer-dependent data (name (displayed on startup), computer
serial number, checksum of BIOS, credit card number, etc.) is placed
in the message so it annoys an honest customer if he upgrades or
repairs his system, and it won't work on just any computer it's put
on.
I hope so, otherwise the rest of this message is irrelevant.
Well, first you ought to be aware that all software copy protection
schemes are hackable so, whatever you do, a hacked (permanently
unlocked, and untraceable) version of your software may find its way
onto peer-to-peer file sharing networks. There's nothing you can do
about this so we'll put that aside for the sake of discussion.
This is true, unless you move enough of the application into a
client-server setup with the server being operated by the software vendor.
Secondly, whatever mechanism you put into place within your software for
decrypting the license will necessarily work in any copy of the
software, so you gain nothing by using encryption. If you think that the
encryption will stop eavesdroppers seeing the license code as it goes
over email, bear in mind that whatever gets sent can be applied equally
by anyone on any copy of the software whether encrypted or not.
Some setups embed characteristics of the computer into the key, so it
will *not* work on any computer with a copy of the software. Serial
numbers. Processor type. Hard disk model. This is designed to annoy
the customer when his hardware needs replacing.
Some software which operates over the network is able to detect
shared license codes by broadcasting its own license code and noticing
if anything else is broadcasting the same code. Thus, sharing one
copy within your company doesn't work.
One way to issue software licences, used by the likes of Microsoft for
instance, is to put the licence code on the physical product so that it
doesn't need to be sent over the wire in the first place. For software
sold online, the licence code can contain the purchaser's name in some
encoded form which the software will display once unlocked. This at
least acts as a minor deterrent to people sharing their own copy of the
unlocked software, but it doesn't prevent an eavesdropper from stealing
the licence code themselves and just ignoring the incorrect licensee
name.
Depending on the nature of the software you may be able to assume there
is an Internet connection, in which case you could arrange for the
software to contact your server, tell it the licence number, and ask if
it is a valid licence before running. You can then correlate this
information to spot when a single copy of the software is being widely
distributed, and revoke the licence, thus either disabling the
illegitimate copies or popping up a message requesting payment. However,
such a mechanism is more likely to annoy your customers than it is to
get you sales you wouldn't otherwise get.
Microsoft's record on this point is particularly horrible.
If eavesdropping of the licence codes in transit is your main concern,
That shouldn't be the main concern. Usually, the main concern is
*the customer himself* (or his employees) sharing it. Customer
buys one license, uses it 100 times. Or employee makes a copy and
uses it at home.
rather than people sharing the already unlocked software, then you would
be better to use something like an SSL protected website to display the
licence code to the user who has just purchased it, rather than sending
it via email.
It's not email snoopers that's the threat. It's the CUSTOMER that's
the threat.
.
- Follow-Ups:
- Re: RSA question
- From: James Taylor
- Re: RSA question
- References:
- RSA question
- From: sluijten
- Re: RSA question
- From: Bryan Olson
- Re: RSA question
- From: sluijten
- Re: RSA question
- From: James Taylor
- RSA question
- Prev by Date: Re: ASCII Requires a Temporary Substitution During Encryption.
- Next by Date: Draft paper submission deadline extended: ISP-09
- Previous by thread: Re: RSA question
- Next by thread: Re: RSA question
- Index(es):
Relevant Pages
|
