Rethinking rsa encryption of license keys

Dr. Hawkins dochawk at gmail.com
Tue May 14 16:35:33 EDT 2013


In earlier discussions, I had pretty much settled on using an RSA key pair
for my licensing (particularly, for per use licensing), giving the public
key to the user and retaining the private key.

It just occurred to me, though:  given that this lets them decrypt the
entire license payload, which is full of cleartext, couldn't just plain
anybody make their own key pair, encryupt, and feed my program the custom
key?  (kind of like mounting the screws on the lock on the outside of the
house?[1])

If I'm correct, is the solution to have a somewhat longer public/private
pair, and using that private key to encrypt the user's public key, and keep
it buried in my code, so that the user never has the real key?  And if it
somehow escaped, I could update it in major releases?

[1] We didn't notice a first, but our sliding back door was mounted inside
out, allowing it to simply be lifted off from outside . . .  we then found
that the entire subdivision had been misinstalled like this decades ago.
-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462



More information about the Use-livecode mailing list