Re: Reverse usage of public/private RSA encryption keys for licensing?
From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 11/23/04
- Next message: Jamie Collins: "Re: Excel using ado.net - operation must use an updateable query"
- Previous message: Nick Malik: "Re: xml posting"
- In reply to: charismatic_evangelist_at_yahoo.com: "Reverse usage of public/private RSA encryption keys for licensing?"
- Next in thread: Valery Pryamikov: "Re: Reverse usage of public/private RSA encryption keys for licensing?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 23 Nov 2004 02:45:41 -0500
It works both ways otherwise you would not be able to decrypt the signature
to get the clear hash to validate the new calculated hash against. Other
implementations allow this directly. .Net allows encrypting the hash only
with the private key. And only allows you to verify the signature
(encrypted hash) using the public key. That is probably a very good thing
as it would probably confuse the heck out of people if it allowed otherwise.
Keeping your private key private is the major idea. Hash your license using
SHA1 or something and encrypt the hash using private key.
RSACryptoServiceProvider.SignData and .VerifyData are easy methods to do
all this for you. The rest of your license could be clear text (i.e. xml)
with the signature in base64. The client gets the signature bytes and runs
VerifyData passing in the clear text, hash algo, and encrypted signature
bytes. The method computes the hash and compares to the decrypted hash and
return true if equal; otherwise false. Naturally, you don't include the
signature when calculating your client hash as that was not included in the
server side hash. That way you validate that only the owner of the private
key could have signed the license. However, the client's public key still
needs to be secured as good as possible in your code or other. Otherwise a
creative user could change the public key and sign the license with their
own key pair. Obfuscating code using encryption can help in this regard.
Some obfuscators can prevent (at least for now) using ildasm/ilasm
round-tripping. Naturally if you can use ildasm on your assembly, then you
could change the public key or just remove your license "if" test(s),
thereby thwarting your public key security all together (e.g. walking around
your 1000ft high wall). You can't really get 100% protection, but you can
make it much harder for most.
-- William Stacey, MVP http://mvp.support.microsoft.com <charismatic_evangelist@yahoo.com> wrote in message news:dd8e1652.0411222115.706e19db@posting.google.com... > The way that RSACryptoServiceProvider works is that we encrypt with a > public key and decrypt with a private key. This architecture works > great for people sending messages to me. However, I now have the > opposite application: > > I want to put a license file on a destination computer and be sure > that it remains unaltered. It would be great if I could encrypt it > with a private key at our office and transmit the public key and the > encrypted file to the destination computer, where anybody can decrypt > it and read it, but not change it because we have the private key at > our office. > > I've read posts to "simply reverse the public and private RSA keys" > but tried several variations of switching RsaParameters.D, DP, P, DQ, > Modulus and others, to no avail. > > I'm sure that a solution exists, just that I do not know it. > > How do I, in C# .NET, send a license file to a destination computer, > with a public key, anybody can read it, but only we can change it? > > Thanks.
- Next message: Jamie Collins: "Re: Excel using ado.net - operation must use an updateable query"
- Previous message: Nick Malik: "Re: xml posting"
- In reply to: charismatic_evangelist_at_yahoo.com: "Reverse usage of public/private RSA encryption keys for licensing?"
- Next in thread: Valery Pryamikov: "Re: Reverse usage of public/private RSA encryption keys for licensing?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
