0

I want to send to a client an encrypted file that contains the license data for my application. As I will use asymmetric encryption, I will encrypt the file using a private key and send it to the client. The application on the client's pc will decrypt the sent file using a public key located in the application code.

The threat model I aspect here is that the public key could be extracted from the application .dll files (using .net reflector for example) and used to regenerate the license.

So is there a way to protect my application ?

Update:

I went through the code example in the following link for encryption the xml file.

The problem I am facing now is that both keys will be generated in the client pc same as mine according to the code sample. So is this right or there is a misunderstanding from me?

Also as Alexe Barlescu suggested to use the ProtectedData class to protect the private key, how can I achieve that ?

Doicare
  • 361
  • 1
  • 3
  • 15
  • 2
    You can't regenerate a license with just the public key. Consider the profit vs the cost of your application being hacked for both you (developer) and the hacker. If you stand to lose too much just use one of the existing libraries, otherwise your scheme sounds fine. Btw what you described is digital signature, not encryption – Sten Petrov Jan 23 '16 at 18:51
  • Thanks for ur answer, but could u kindly explain more what u mean by what I described is digital signature ? – Doicare Jan 23 '16 at 18:55
  • 2
    Asymmetric encryption is when the public key is used and only the private key can read the data. Digital signature is when the private key is used to encrypt something (usually just a hash) and the public key lets everyone check the origin of the message - there's nothing hidden in this case because the public key lets everyone see the real data – Sten Petrov Jan 23 '16 at 21:04
  • Thanks again, thats explains why I can't find a good example for my case through the web. As I was first using the symmetric encryption then I found out that the key can be extracted easily from the dll file using .net reflector. – Doicare Jan 24 '16 at 01:05

1 Answers1

0

Asymmetric Encryption uses two keys:

  • a public key for encrypting the data
  • a private key for the decryption of the data

Encrypt the file containing the license with client's Public Key, so only he can decrypt it, with his Private Key. To make your client's Private key safe, encrypt it with Protect method located in ProtectedData class in System.Security.Cryptography namespace. The Private key will be stored on his computer encrypted, he can decrypt the key only when he needs to decrypt a message sent from you.

Alexe Barlescu
  • 387
  • 4
  • 11