0

Let's assume I have two applications: service_1 and service_2.

service_1 is a basic application, every user with valid license can use this application according to its license.

service_2 is a premium application, means user with special license can get it with this flow: service_2_login => service_1_login (service2 asks login from service1, if all right then the user can access to service2).

The challenge here: When user logged-in to service2 and wants to use service2.getService() we need to check its licensing permissions for this operation. Since the license_service located at service1 server with web method is_licensed(User user, Operation operation), we have to operates this communication in well secured manner - means avoid Man In the middle attacks etc ...

The question: How to design this mechanism? My thinking is with Challenge Response mechanism. First: Is that the right way? If yes, it seems a large development effort. So is there some c# implementation for this mechanism?

Thanks!

Roni
  • 369
  • 1
  • 7
  • 22
  • How much is access to your service worth? What attacks do you need to defend against? – nvoigt Apr 13 '16 at 11:49
  • The attacks will worth license abuse (for example: changing expiration date). The attacker can use Reply attack to rich free license. – Roni Apr 13 '16 at 11:56
  • What I meant is: what is getting one of your licenses for free worth? If you sell licenses for 50$, you only need to defend against attacks available for 50$. Because if someone is spending more on the attack than your license is worth, you won't stop him or her anyway. For example, yes, you can MITM https, but that's more hassle than a 50$ license is worth. – nvoigt Apr 13 '16 at 12:08
  • @nvogit The license worth much more then 50$. Unfortunately It's not my application, and i'm just working on this area. – Roni Apr 13 '16 at 12:22

0 Answers0