-1

I'm looking for an advice regarding cryptography.

I'm working on a .Net application which I need to create a license for it, so I plan to create an encrypted license file which my application will use to know if it is licensed or not.

Handling license is as following:

  • License Generation:

    1. Generate unique symmetric key.
    2. Use symmetric key to encrypt license information.
    3. Use asymmetric public key to encrypt symmetric key.
    4. Write encrypted symmetric key and encrypted license information to file.

  • License Decryption:

    1. My application will read license file.
    2. Decrypt symmetric key using asymmetric private key which is embedded xml file inside dll.
    3. Use decrypted symmetric key to decrypt license information.

My questions are:

  • If the dll which is responsible for decrypting the license has the asymmetric private key as xml embedded resource, is it possible to spy on the dll to get the key and generate a new license?
  • Is there another technique I can use which is more secure?
Ebraheem
  • 603
  • 6
  • 24

1 Answers1

2

As a very general overview, the simplest way is to sign (there's no real need to encrypt anything really) the information with a private key, and verify the signature with the corresponding public key. That's it. The private key is kept safe and no valid new signatures can be generated without it, so if someone changes the signed information the signature becomes invalid. There's no need for extra symmetric encryption on top of it - it's pointless work as far as I'm concerned.

There are plenty of libraries that already do this easily enough, but it's also not that hard to do it manually. https://github.com/dnauck/Portable.Licensing is one I used before.

Edit: also yes, in general it's very easy to decompile .net assemblies, including extracting resources from them.

Alex Paven
  • 5,539
  • 2
  • 21
  • 35