Rethinking rsa encryption of license keys

kee nethery kee at kagi.com
Tue May 14 17:08:39 EDT 2013 

You embed your public RSA key into your app.
You pick a random symmetrical key and encrypt your payload using that key.
You encrypt the random symmetrical key with your private RSA key.
You append the encrypted random key to your encrypted payload and send that to the customer.
You extract the encrypted random symmetrical key from the payload and decrypt it with your embedded public key.
You take the decrypted random symmetrical key and use that to decrypt the payload.

This prevents someone from creating an unlock file that your app can decrypt and use. It does not prevent them from passing the file on to another user. To attempt to prevent them from passing an unlock payload to another user, you'll need to get something from the user and validate that against what is in the payload.

Kee

On May 14, 2013, at 1:35 PM, Dr. Hawkins <dochawk at gmail.com> wrote:

> In earlier discussions, I had pretty much settled on using an RSA key pair
> for my licensing (particularly, for per use licensing), giving the public
> key to the user and retaining the private key.
> 
> It just occurred to me, though:  given that this lets them decrypt the
> entire license payload, which is full of cleartext, couldn't just plain
> anybody make their own key pair, encryupt, and feed my program the custom
> key?  (kind of like mounting the screws on the lock on the outside of the
> house?[1])
> 
> If I'm correct, is the solution to have a somewhat longer public/private
> pair, and using that private key to encrypt the user's public key, and keep
> it buried in my code, so that the user never has the real key?  And if it
> somehow escaped, I could update it in major releases?
> 
> [1] We didn't notice a first, but our sliding back door was mounted inside
> out, allowing it to simply be lifted off from outside . . .  we then found
> that the entire subdivision had been misinstalled like this decades ago.
> -- 
> Dr. Richard E. Hawkins, Esq.
> (702) 508-8462
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list