Rethinking rsa encryption of license keys

kee nethery kee at kagi.com
Tue May 14 18:22:31 EDT 2013


On May 14, 2013, at 3:09 PM, Dr. Hawkins <dochawk at gmail.com> wrote:

> On Tue, May 14, 2013 at 2:08 PM, kee nethery <kee at kagi.com> wrote:
> 
>> You embed your public RSA key into your app.
>> You pick a random symmetrical key and encrypt your payload using that key.
>> You encrypt the random symmetrical key with your private RSA key.
>> You append the encrypted random key to your encrypted payload and send
>> that to the customer.
>> You extract the encrypted random symmetrical key from the payload and
>> decrypt it with your embedded public key.
>> You take the decrypted random symmetrical key and use that to decrypt the
>> payload.
>> 
> 
> Cryptography was never one of my areas of math--but doesn't this reduce the
> total security to the security of the symmetrical key used?  I thought that
> the total encryption level was effectively limited to the weakest element
> in the chain . . .

There is nothing insecure about a symmetrical key. The insecurity with a symmetrical key is that both people have to know it and getting it from person A to person B safe and secure is difficult. The public private key pair handles the transport of the symmetrical key. 

If you use a heck-a-long key for the symmetrical stuff, it will be secure (assuming the symmetrical algorithm is secure). 

The only thing that is insecure in the system is your public key embedded in your app. Since your app does all the decryption and payload verification, the bad guys having access to that public key is not a security risk. They cannot create a payload file with the public key.

Kee



More information about the Use-livecode mailing list