Rethinking rsa encryption of license keys

Dr. Hawkins dochawk at gmail.com
Tue May 14 17:09:14 CDT 2013


On Tue, May 14, 2013 at 2:08 PM, kee nethery <kee at kagi.com> wrote:

> You embed your public RSA key into your app.
> You pick a random symmetrical key and encrypt your payload using that key.
> You encrypt the random symmetrical key with your private RSA key.
> You append the encrypted random key to your encrypted payload and send
> that to the customer.
> You extract the encrypted random symmetrical key from the payload and
> decrypt it with your embedded public key.
> You take the decrypted random symmetrical key and use that to decrypt the
> payload.
>

Cryptography was never one of my areas of math--but doesn't this reduce the
total security to the security of the symmetrical key used?  I thought that
the total encryption level was effectively limited to the weakest element
in the chain . . .


> This prevents someone from creating an unlock file that your app can
> decrypt and use. It does not prevent them from passing the file on to
> another user. To attempt to prevent them from passing an unlock payload to
> another user, you'll need to get something from the user and validate that
> against what is in the payload.
>

*That* is not a problem in my case :)

The main payload is the name, address, and bar number (law license), as
well as jurisdiction, of the licensed attorney.

You can't file much under another attorney's name.  (But I red a discipline
case some time ago where an attorney got a sample document from another,
and had so little idea what he was doing that he started filing with the
other attorney's name still listed . . .)



-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462


More information about the use-livecode mailing list