0

I'm looking for a secured way to implement a license file for my application, with flags and features. I read about Asymmetric key mechanism in C#, but the RSA purpose is little opposite from what I need.

I want to generate a license file: encrypted cipher. The application would have the key to decrypt the file - but wont have the ability to re-encrypt it. Everywhere I checked, the example shows how party A generates public and private keys and passes the public key to party B so it can use it for encryption. It's probably there between the lines, but I can't see it.

I checked this one: Encrypting and Decrypting

I can find a way to use the code I see to implement it, but I'm not sure it's really secured.

user3079459
  • 23
  • 4
RoeeK
  • 1,112
  • 12
  • 23
  • I think you actually want a signature, not encryption/decryption. – CodesInChaos Dec 08 '13 at 18:12
  • @CodesInChaos: could you explain? i'm not familiar with the 'signature' flow. – RoeeK Dec 08 '13 at 18:59
  • so i looked at: http://msdn.microsoft.com/en-us/library/9tsc5d0z(v=vs.110).aspx 1. what should i sign (probably not plain text). i need to sign something like: "num=10;enable_feature=1" 2. how should i protect the keys in the client side? – RoeeK Dec 08 '13 at 20:50

2 Answers2

1

You can still use asymmetric encryption: generate a public-private key pair, encrypt with the private key, and the client (the "application" as you mentioned) can decrypt it with the public key.

Of course, a public key (and the private key too) can be used for both encrypting and decrypting.

But re-encrypting plain text with a public key would generate a completely different cypher than a cypher encrypted using a private key. Decrypting and re-encrypting with the same key would produce a different result, and so it's useless.

dcastro
  • 66,540
  • 21
  • 145
  • 155
0

What dcastro said above is absolutely correct, and you should give him credit. I just want to add to it, but can't yet comment. If you encrypt the license information with our private key, and distrute your public key with the application, you would be able to decrypt the license information. Without the private key, it wouldn't be possible to re-encrypt a different version of the license that could be decrypted with the public key without using the private key.

Asymetric encryption works like this.

Information encrypted with public key can only be decrypted using the private key. Information encrypted with the private key can only be decrypted using the public key.

Now for the kicker.. You're probably going to want to encrypt your license with a symmetric algorithm, and encrypt the key needed to decrypt it with the asymmetric algorithm. This way the length of your license data isn't limited by the asymmetric and the symmetric key can be customer specific.

Like I said, give the credit to dcastro.

Andyalmq
  • 89
  • 2
  • good point. i did thought about it this way using AES. good thing to write it down here :) – RoeeK Dec 08 '13 at 10:16
  • And thank you. You pushed me to where I need to be to comment. – Andyalmq Dec 08 '13 at 10:18
  • If you only used RSA encryption instead of a signature that'd be bad style, but might have been secure. Hybrid encryption on the other hand is clearly not a secure signature scheme. Simply extract the symmetric key, and use it to encrypt a new message which will be accepted by the application. – CodesInChaos Dec 08 '13 at 18:15