Menu
I have a XML file describing the name of the company the product is licensed for, the version and some extra information.
Looking something like this
<Licence>
<Name>sdfsdf</Name>
<Version>1.2.1.1</Version>
<NumberOfServer>4</NumberOfServer>
</Licence>
I then sign this fiel using a private key and get
<Licence>
<Name>sdfsdf</Name>
<Version>1.2.1.1</Version>
<NumberOfServer>4</NumberOfServer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>M368eFB9ydifttSxX26sB6XiPV4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>TTYP6d+zESn6/2PtL5ikN+7E9u8Njm32vYVyVANC5U0EGLBwS//3yPjUoBx3glJXHClzPQBQEUi0LJNauTFvo1IBYwLjAuaYGtleti4IXpjrQCVaIudETSv5Z7oB8+C/+nsqsC26fXf9vWxvaKXJJzcep88r0wIfVe31HSd18FU=</SignatureValue>
</Signature>
</Licence>
I then ship the public key in the application and read the file to make sure they have the right version and "NumberOfServers" as the license key is for.
What are the downsides of this approach?
Thanks
312
One problem: an attacker can generate a key pair, a license, sign the license with that private key, then replace the public key in the application with their own. It might sound far-fetched, but it is the kind of thing thieves do.
If you are trying to protect something marketed to a dishonest demographic (for example, kids who haven't yet learned the value of integrity), dongles are more robust.
If you are selling to people or businesses that care about their reputation, this is sufficient to help them stay honest and keep track of their licenses.
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
