Encoding license file for privacy

Question

We're using XML Digital Signatures for signing and verifying our license keys. The signing works fine and has been running smoothly. The XML license file contains a few (plaintext) details about the license, along with a binary signature.

We'd like to encode (I don't say encrypt) those plaintext details (license duration, user name, etc, etc.) so they're not immediately visible to prying eyes. Is there a standard (eg, base 64 or something else) that people use in this situation? It doesn't need to be secure or particularly clever, just enough to conceal the information in Notepad.

EDIT: We're using .NET/C#.

Thanks : )

What's wrong with Base64? Easy to encode/decode, built in support in many languages/libraries. Looks obfuscated enough to the naked eye. — Traveling Tech Guy, May 27 '10 at 20:05
We're a little gun shy. From what I understand somebody did an encoding which ended up producing illegal chars in the XML, and all hell proceeded to break loose. So base 64 would be my choice but as I'm a complete newbie to the area of licensing, I'm doing due diligence to make sure I'm not insane. :) — Swingline Rage, May 27 '10 at 20:35

Eugene Mayevski 'Callback · Accepted Answer · 2010-05-28T10:46:45.540

Just use XOR. XOR is a good thing (when used right), used even in cryptographic algorithms such as RC4. By using XOR I mean taking some text string that will remain constant in your application, then XOR 1st byte of your file with 1st byte of that string, then xor 2nd byte of your file with 2nd byte of that string and so on. Then start from the beginning of the string. This is the way stream ciphers work. The string found in your code (in opposite to just some constant number) will make hacker's work a tiny bit more complicated.

score 0 · Answer 2 · answered May 27 '10 at 20:03

0

A simple hex encoding would accomplish that. It is also easy to decode. If you mention which language or platform you are writing the code in, someone could make a more specific recommendation.

answered May 27 '10 at 20:03

Amardeep AC9MF

18,464
5
40
50

Hi, thanks for the response, we're building in .NET, C#. We also have various stuff in C++. – Swingline Rage May 27 '10 at 20:38

score 0 · Answer 3 · answered May 27 '10 at 20:04

0

If you're simply looking to obfuscate the details, then I would think a Base64 or equivalent encoding mechanism would be fine.

I'm not familiar with any sort of standard around exactly what you're trying to do, since most people would argue that what you're trying to do doesn't really achieve anything (since it falls within the realm of "security through obscurity").

answered May 27 '10 at 20:04

Rob Hruska

118,520
32
167
192

Thanks, and good point. Our licensing scheme is pretty minimalistic- just enough to keep the honest users honest. And you're right there are exactly zero standards in this area. I'm a little surprised .NET doesn't ship with better out of the box support for licensing. There are the licensing classes and the (ridiculously expensive) MS Licensing Services but... no easy-to-use blackbox component that provides basic public key/private key licensing in a few common configurations. – Swingline Rage May 27 '10 at 20:38

score 0 · Answer 4 · answered May 27 '10 at 20:13

0

As a user of license keys, I would recommend against this obfuscation. It is often very useful when auditing the license to determine the details you are referring to. If I can get them from the xml description, it can save as substantial amount of time. It also helps discover incorrectly deployed licenses. If I find a key issued to example.com instead of the organization I work for, I know we need to address the issue. If it is issued to ZXhhbXBsZS5jb20K (example.com in base64), do I will not think twice about it. I also have to deal with ensuring licences are renewed on time. When do I renew a license with an expiry of MjAxMC0wNi0wMQo=?

answered May 27 '10 at 20:13

BillThor

7,306
1
26
19

This interests me. You're saying that, as a *user*, you find yourself examining .lic key contents? But what if we're using (for example) your unique machine ID or some hash thereof as part of the license? Would it bother you to open a LIC file and see that information sitting there in plain text? – Swingline Rage May 27 '10 at 20:41
It would bother me more if I as a user found that you kept some sensitive information of mine in the .lic file and attempted to hide this fact from me. – Eugene Mayevski 'Callback May 27 '10 at 20:56
Not in the least. This is information which I would use in an audit of the licence usage. If I find a key for IP 192.0.2.15 being used on a key server with IP 192.0.2.41, I would want to rectify the situation. Likewise for any other information identifying the server. Not having the information in license can make it difficult to deploy licenses properly as I can't readily identify which serve the license should be on. – BillThor May 28 '10 at 21:36

Encoding license file for privacy

4 Answers4