Product Keys Based on Elliptic Curve Cryptography

• Download Certicom's SEC 1 Whitepaper - 310.7 Kb
• Download Certicom's SEC 2 Whitepaper - 124.8 Kb
• Download NIST Recommended Curves Whitepaper - 277.4 Kb
• Download BaseExp Source Code - 3.1 Kb
• Download DPVal Source Code- 5.5 Kb
• Download KeyGen Source Code - 4.9 Kb
• Download KeyVal Source Code - 5.1 Kb
• Download ecc160test Source Code - 3.7 Kb
• Download ecctest1 Source Code - 4.0 Kb
• Download ecctest2 Source Code - 4.5 Kb
• Download ecctest3 Source Code - 4.5 Kb
• Download ecctest4 Source Code - 4.8 Kb
• Download ecctest5 Source Code - 5.0 Kb
• Download ecctest6 Source Code - 5.4 Kb
• Download ecctest7 Source Code - 5.6 Kb
• Download ecctest1 - ecctest7 Source Code - 34 Kb

Introduction

A popular method of product validation is using keys similar to VJJJBX-H2BBCC-68CF7F-2BXD4R-3XP7FB-JDVQBC. These compact keys can be derived using Public Key Cryptosystems such as Elliptic Curve Cryptography. Other Public Key Cryptosystems are available such as RSA. However, these systems generally produce larger keys, which the user will eventually have to enter into the program to unlock functionality. Smaller producing Cryptosystems exist, but it is the author's opinion that they are highly encumbered with patents. Quartz is one such example. It is a Public Key Encryption System that produces a smaller cipher text based on Hidden Field Equations (HFEs). The Quartz website is littered with phrases such as "must license" and "pay royalties".

The reader is also encouraged to investigate Signature Schemes with Recovery as an alternative method to producing Product Keys. An example is PSS-R, a Message Recovery Signature Scheme based on RSA. PSS-R is not suitable for product keys due to the size of the resulting key. However, cryptosystems such as a Weil Pairing system should be of interest. Once Weil Pairing is finalized in committee, it will be added to the Crypto++ library.

Finally, the reader should also visit Product Keys Based on the Advanced Encryption Standard to familiarize themselves with basic concepts of Product Keys in the domain of Public Key Cryptography; and Product Activation Based on RSA Signatures. This article will discuss in detail the following topics:

• Elliptic Curve Cryptography Implementation in Crypto++
• Using Elliptic Curves with User Defined Domain Parameters In Crypto++
• Base Encoding a cipher text String in Crypto++
• Working Demo which Exercises Product Keys based on ECC
• Bulk Product Key Generation
• Product Key Validation
• Product Activation
• Securely Saving Key or Activation State to the Registry

This article is based on the Visual C++ 6.0 Environment in hopes that it reaches the largest audience. There are 16 downloads available with this article, which are presented at the top of the page.

Elliptic curve cryptography

This article assumes that the reader has a basic understanding of Cryptography. For an overview, see Gary Kessler's An Overview of Cryptography. For an ECC Tutorial, see Certicom's ECC Tutorial. For a casual Cryptography reader, Elliptic Curve Cryptography should prove to be interesting, as it is not like RSA (based on Integer Factorization), Diffie-Hellman and ElGamal (based on Discrete Logarithms), or MQ (Multivariate Quadratics). However, ECC is related to DLP. This article uses comparatively small EC key sizes. This is justified in that the Product Key lifetime is relatively short, based directly on Product Life Cycles. RSA Laboratories offers the following recommendations for key sizes:

Protection Lifetime of Data	Present � 2010	Present � 2030	Present � Beyond 2031
Minimum Symmetric Security Level	80 bits	112 bits	128 bits
Minimum RSA Key Size	1024 bits	2048 bits	3072 bits

Below is a comparison of the equivalent Key sizes of ECC and RSA.

The following Figure estimates the Security Level of ECC and RSA & DSA in MIPS Years.

The friendly folks at the US Government's NSA have put together some reading that may also be of interest. The article is titled The Case for Elliptic Curve Cryptography. It is very noteworthy that Peter Shor of AT&T Research has a Quantum Factoring Algorithm, which runs in O((log n)³) time. Additionally, Shor has proposed a Quantum Root Finding Algorithm that is also polynomial in time complexity (to solve the Discrete Logarithm problem). In 2001, IBM built a quantum computer capable of factoring the number 15 (using 7 qubits - the quantum equivalent of 2⁷) using Shor's Algorithm. It is believed the future will produce quantum computers with over 1000 qubits. Finally, J. E. Cremona has published his book Algorithms for Modular Elliptic Curves online.

Compiling and integrating Crypto++

Please see the related article, Compiling and Integrating Crypto++ into the Microsoft Visual C++ Environment. This article is based upon basic assumptions presented in the previously mentioned article. It also addresses most problems encountered with projects from Command Line to MFC (Errors C1083, C1189, LNK1104, LNK2001, and LNK2005). Additionally, it provides tips and other niceties for using the Crypto++ Library.

Elliptic curve cryptography implementation in Crypto++

Crypto++ can be an intimidating library at times. The author finds the easiest method for getting a user started is by giving him or her a working CLI project. Multiple projects are presented with this article. They simply exercise the Crypto++ ECC Implementation on the command line. The samples build upon one another until a fully implemented demo is presented. The author chose this method because two of his favorite authors use it - Jeffrey Richter and W. Richard Stevens. The first sample should be considered ecctest160. ecc160test uses an Elliptical Curve over a 160 bit field. This is the equivalent of 1024 RSA moduli, or an 80 bit Symmetric Key. Some notes on the code below:

• CryptoPP::AutoSeededRandomPool rng contructs a Cryptographically Secure Pseudo-random Number Generator which is auto-seeded
• unsigned int PlainTextLength = PlainText.length() + 1 is used to capture the trailing '\0' of the string
• std::basic_string::c_str() is guaranteed to offer the trailing '\0' whereas std::basic_string::data() is not
• The try and various catch() statements have been omitted for clarity
• The throw std::string is present because a 0 length indicates an abnormal condition from the Crypto++ library
• The author prefers not to pollute the Global Namespace, so objects are brought in with the scope operator: std::string and CryptoPP::ECIES< CryptoPP::ECP >::PrivateKey rather than issuing using namespace std or using namespace CryptoPP

// From ecctest160


CryptoPP::ECIES< CryptoPP::ECP >::PrivateKey    PrivateKey;
CryptoPP::ECIES< CryptoPP::ECP >::PublicKey     PublicKey;
CryptoPP::AutoSeededRandomPool                  rng;

    // Curve and Key Initialization

    PrivateKey.Initialize( rng, CryptoPP::ASN1::secp160r1() );
    PrivateKey.MakePublicKey( PublicKey );

    // Key Validation

    //   Level 3 Validation (not 3 rounds)

    if( false == PrivateKey.Validate( rng, 3 ) )
    { 
        throw std::string( "Private Key Validation  Error"); 
    }
    if( false == PublicKey.Validate( rng, 3 ) )
    { 
        throw std::string( "Public Key Validation Error" ); 
    }

    // Encryptor and Decryptor

    CryptoPP::ECIES< CryptoPP::ECP >::Encryptor Encryptor( PublicKey );
    CryptoPP::ECIES< CryptoPP::ECP >::Decryptor Decryptor( PrivateKey );

    // Message

    std::string PlainText = "Yoda said, Do or do not. There is no try.";

    // Runtime Sizes...

    unsigned int PlainTextLength = PlainText.length() + 1;
    unsigned int CipherTextLength =
        Encryptor.CiphertextLength( PlainTextLength );
    if( 0 == CiphertextLength ) 
    { 
        throw std::string("plaintextLength is not valid (too long)"); 
    }

    // Scratch for Encryption

    byte* CipherText = new byte[ CipherTextLength ];

    // Encryption

    Encryptor.Encrypt( rng, reinterpret_cast<const byte*>
        ( PlainText.c_str() ), PlainTextLength, CipherText );

    // Scratch for Decryption

    unsigned int RecoveredTextLength =
        Decryptor.MaxPlaintextLength( CipherTextLength );
    if( 0 == RecoveredTextLength )
    { 
        throw std::string(
            "CipherTextLength is not valid (too long or too short)"); 
    }

    // Decryption Buffer

    char* RecoveredText = new char[ RecoveredTextLength ];

    // Decryption

    Decryptor.Decrypt( rng, CipherText, CipherTextLength,
        reinterpret_cast<byte*>( RecoveredText ) );

ecctest1 is a generalization of ecc160test. One can choose odd characteristic fields of F_p (where p>3 is a large prime) by #define ECC_FIELD CryptoPP::ECP for curves from 112 bits to 521 bits; and fields of characteristic two (F_2^m) for curves from 113 bits to 571 bits by #define ECC_FIELD CryptoPP::EC2N.

// From ecctest1


#define ECC_FIELD CryptoPP::ECP
// #define ECC_FIELD CryptoPP::EC2N


// Standard ECC Curves over GF(p)

//   Use when ECC_FIELD is CryptoPP::ECP

//

// #define ECC_CURVE CryptoPP::ASN1::secp112r1()

// #define ECC_CURVE CryptoPP::ASN1::secp112r2()

...
#define ECC_CURVE CryptoPP::ASN1::secp160r1()
...
// #define ECC_CURVE CryptoPP::ASN1::secp384r1()

// #define ECC_CURVE CryptoPP::ASN1::secp521r1()



// ECC Curves over GF(2)

//   Use when ECC_FIELD is CryptoPP::EC2N

//

// #define ECC_CURVE CryptoPP::ASN1::sect113r1()

// #define ECC_CURVE CryptoPP::ASN1::sect113r2()

...
// #define ECC_CURVE CryptoPP::ASN1::sect571k1()

// #define ECC_CURVE CryptoPP::ASN1::sect571r1()


int main(int argc, char* argv[]) {

    CryptoPP::ECIES< ECC_FIELD >::PrivateKey    PrivateKey;
    CryptoPP::ECIES< ECC_FIELD >::PublicKey     PublicKey;
    CryptoPP::AutoSeededRandomPool              rng;

    // Curve Key Generation

    PrivateKey.Initialize( rng, ECC_CURVE );
    PrivateKey.MakePublicKey( PublicKey );
    
    // Encryptor and Decryptor

    CryptoPP::ECIES< ECC_FIELD >::Encryptor Encryptor( PublicKey );
    CryptoPP::ECIES< ECC_FIELD >::Decryptor Decryptor( PrivateKey );

    ...

    return 0;
}

Using elliptic curves with user-defined domain parameters in Crypto++

Crypto++ supplies 31 predefined Elliptical Curves for use with ECIES (Elliptic Curve Integrated Encryption Scheme) as specified in ANSI X9.63. These curves range in size from 112 bits to 571 bits. Encrypting a 4 byte message with a 112 bit ECIES object produces a cipher text length of 53 bytes. Encrypting the same message with an ECIES object of 34 bits will produce a 35 byte cipher text. The large cipher text is due in part to the following: when using Crypto++, a CryptoPP::ECIES< CryptoPP::ECP > object is created. The CryptoPP::ECIES< CryptoPP::ECP >::Encryptor returns a cipher text object which is a tuple (V, C, T) consisting of the following components:

• temporary EC public key V
• encrypted message C
• authentication tag T (generated from message M)

It is very noteworthy that public key V is a temporary key. This provides a randomization of the Product Key. However, should the reader's binary fall to Reverse Engineering, a private key is compromised due to the decryption routine. The authentication tag T is derived from SHA-1. The SHA-1 block size is 160 bits. So the authentication tag accounts for approximately 160/8 or approximately 20 bytes of the cipher text object. The astute reader should realize another benefit of a Signature Scheme with Message Recovery at this point. More will follow later in this article with respect to authentication tag T paring. Ideally, the cipher text will be about 20 bytes. This will produce a key of 30 to 35 characters in length after Base Encoding the cipher text into a Product Key. Again, further reductions will be achieved later in the article.

Using elliptic curve builder to generate domain parameters

For this portion of the article, Elliptic Curve Builder (ECB) will be used to generate curves for use with the Product Keys. Many thanks to Marcel Martin for modifying his original Object Pascal code to accommodate this article. ECB can be downloaded here. A copy of the ECB version 1.0.0.6 is not included with the article. However, it is obtainable from Marcel's Ellipsa page. The author chose to use ECB rather than implementing a curve parameter generator due to the difficulty in determining the order of E(F_p). For reading on the subject, begin with 'Schoof-Atkin-Elkies Algorithm' and 'Elliptic Curve Point Counting Algorithm'.

Open ECB and click the leftmost blue thunderbolt. This will generate new curve parameters over F_p.

In the New Curve Parameters Over... Dialog Box, enter the following:

• Suitable Curve Size (minimum is 33 bits)
• Cofactor S max binary size of 2

A note on EC Domain Parameters and ECB: although the ECB editor displays Discriminant as 0, ECB begins its search at Discriminant + 1, so the parameter does not require modification. The ECB Discriminant value is for Complex Multiplication. This is a different Discriminant than that of Weierstrass equation of y² ≡ x³ + ax + b (mod p). A non-0 Discriminant is required for the later case in this Cryptosystem. Eventually, Crypto++ will check the condition 4a³ + 27b² !≡ 0 (mod p). For a complete list of required checks, see Certicom's accompanying document, SEC 1: Elliptic Curve Cryptography. Section 3.1.1.1, Elliptic Curve Domain Parameters over F_p Generation Primitive, is the appropriate area of the document.

Cofactor S max binary size is set to 2 because 2² = 4. According to the Certicom document, h ≤ 4 (S in ECB, h in EC literature). If the reader is inclined, a larger S can be selected. Marcel recommends at least 3, so a cofactor of 4 is available. If the user encounters cofactor S of 5, 6, or 7, he or she should regenerate the parameters. Note that NIST predefined curves specify a cofactor h = 1, 2, or 4 to speed calculations. Certicom requires that CEIL(log₂p) = {112, 128, 160, 192, 224, 256, 384, 521} for E(F_p). At this point, the article is well below the recommended minimum curve size of 112 bits for E(F_p). Use of E(F_p) 56 bit curves will be presented later in the article. A 56 bit curve is available for E(F_2^m). The exercise is left to the reader.

Next, select the tab entitled "Curve and Point." Click the yellow thunderbolt. The presented parameters are acceptable. Note that NIST curves use A = -3 to speed underlying mathematical operations.

Finally, click the green thunderbolt in the editor. This will produce G(x, y) points of Order R over the Curve E(F_p). Note that negative values are acceptable for either a, b, x or y. However, SEC1, Section 3.1.1.2.1 Elliptic Curve Domain Parameters over F_p Validation Primitive (check 2) states:

Check that a, b, x_G, and y_G are integers in the interval [0, p-1].

To facilitate the requirement, issue the following:

    // parameters are in the interval [0, p-1]

    a %= p; b %= p; x %= p; y %= p;

Copy and Paste the parameters into Visual C++ to avoid transcription errors.

ecctest2 exercises Crypto++ and the User Defined Domain Parameters. The essence of ecctest2 is below, as well as some notes:

• p, a, and b define the curve
• Base Point G is specified as a (x,y) coordinate

// From ecctest2


// Crypto++ Includes

#include "cryptlib.h"

#include "osrng.h"      // Random Number Generator

#include "eccrypto.h"   // Elliptic Curve

#include "ecp.h"        // F(p) EC

#include "integer.h"    // Integer Operations

int main(int argc, char* argv[]) {

    CryptoPP::AutoSeededRandomPool rng;

    // User Defined Domain Parameters

    CryptoPP::Integer p("11069481119");
    CryptoPP::Integer a("9891419326");
    CryptoPP::Integer b("3785846764");
    CryptoPP::Integer n("5534832397");          // R from ECB

    CryptoPP::Integer h("2");                   // S from ECB, must be <= 4

    CryptoPP::Integer x("53467489");
    CryptoPP::Integer y("1485849126");
    CryptoPP::ECP ec( p, a, b );
    CryptoPP::ECP::Point G( x, y );
    CryptoPP::ECIES< CryptoPP::ECP >::PrivateKey    PrivateKey;
    CryptoPP::ECIES< CryptoPP::ECP >::PublicKey     PublicKey;

    // Curve Initialization and Key Generation

    PrivateKey.Initialize( ec, G, n, h );
    PrivateKey.MakePublicKey( PublicKey );

    // Encryptor and Decryptor

    CryptoPP::ECIES< CryptoPP::ECP >::Encryptor Encryptor( PublicKey );
    CryptoPP::ECIES< CryptoPP::ECP >::Decryptor Decryptor( PrivateKey );
   
    // Message

    std::string PlainText = " ECC ";

    // Runtime Sizes...

    unsigned int PlainTextLength = PlainText.length() + 1;
    unsigned int CipherTextLength =
        Encryptor.Cipher=CiphertextLength( PlainTextLength );
    if( 0 == CiphertextLength )
    { 
        throw std::string("PlainTextLength is not valid (too long)"); 
    }

    // Scratch for Encryption

    byte* CipherText = new byte[ CipherTextLength ];

    // Encryption

    Encryptor.Encrypt( 
        rng, reinterpret_cast<const byte*>( PlainText.c_str() ),
        PlainTextLength, CipherText );

    // Scratch for Decryption

    unsigned int RecoveredTextLength =
        Decryptor.MaxPlaintextLength( CipherTextLength );
    if( 0 == RecoveredTextLength )
    { 
        throw std::string(
            "CipherTextLength is not valid (too long or too short)"); 
    }

    // Decryption Buffer

    char* RecoveredText = new char[ RecoveredTextLength ];

    // Decryption

    Decryptor.Decrypt( rng, CipherText, CiphertextLength,
        reinterpret_cast<byte*>( RecoveredText ) );

    // Diagnostics

    std::cout << "Recovered text (
        " << RecoveredTextLength << " bytes):" << std::endl;
    std::cout << "'" << RecoveredText << "'" << std::endl;

    return 0;
}

Below is a sample output with satisfactory parameters. The litmus test is definitive: the message decrypts.

Finally, I'll discuss a sample output with unsatisfactory parameters. Should a reader encounter similar, perform the following:

• Verify ECB parameters were correctly transcribed
• Generate new parameters with ECB.

Encoding a cipher text string in Crypto++

For encoding and decoding of the cipher text, this article will use both the Crypto++ base 64 encoder and base 32 encode. Better alphabet choices exist for Product Keys. For example, the following is a short list of alphabet constraints for Product Keys

• Key are formed over the alphabet A-Z and 0-9
• Keys are not case sensitive
• Do not use letters l (lowercase "L") or O (capital "o") (appear as numbers in some fonts)
• Do not use letters u and v (appear similar in some fonts)
• Do not use numbers 0 or 1 (appear as letters in some fonts)
• Print keys using a font created for text scanning (it is easier to distinguish characters)

Base Encoding expansion for Base64 encoding is approximately 35%, while expansion for Base32 encoding is approximately 60%. These estimates are based on a psuedo-randomly generated block of 16 * 1024 (16384) bytes. See the accompanying BaseExp for the program used to generate the sample block and calculate the expansions.

// From ecctest3


// Crypto++ Includes

#include "cryptlib.h"

#include "osrng.h"      // Random Number Generator

#include "eccrypto.h"   // Elliptic Curve

#include "ecp.h"        // F(p) EC

#include "integer.h"    // Integer Operations

#include "base64.h"     // Base 64 Encode/Decoder


int main(int argc, char* argv[]) 
{
    // User Defined Domain Parameters Omitted

    // ec, G, n, h


    CryptoPP::ECIES< CryptoPP::ECP >::PrivateKey    PrivateKey;
    CryptoPP::ECIES< CryptoPP::ECP >::PublicKey     PublicKey;

    PrivateKey.Initialize( ec, G, n, h );
    PrivateKey.MakePublicKey( PublicKey );

    // Encryptor and Decryptor

    CryptoPP::ECIES< CryptoPP::ECP >::Encryptor Encryptor( PublicKey );
    CryptoPP::ECIES< CryptoPP::ECP >::Decryptor Decryptor( PrivateKey );

    // Message

    std::string PlainText = " ECC ";

    // Runtime Sizes...

    unsigned int PlainTextLength = PlainText.length() + 1;
    unsigned int CipherTextLength = Encryptor.CiphertextLength( 
        PlainTextLength );
    if( 0 == CipherTextLength )
    { 
        throw std::string("plaintextLength is not valid (too long)"); 
    }

    // Scratch for Encryption

    byte* CipherText = new byte[ CipherTextLength ];

    // Encryption

    Encryptor.Encrypt( 
        rng, reinterpret_cast<const byte*>( PlainText.c_str() ),
        PlainTextLength, CipherText );

    // Base 64 Encoding

    CryptoPP::Base64Encoder Encoder;
    Encoder.Put( CipherText, CipherTextLength );
    Encoder.MessageEnd();

    // Scratch for Base 64 Encoded cipher text

    unsigned int EncodedTextLength = Encoder.MaxRetrievable();
    byte* EncodedText = new byte[ EncodedTextLength + 1 ];   
        // + 1 for NULL termination

    EncodedText[ EncodedTextLength ] = '\0';                
        // NULL Terminate


    // Base 64 Encoded cipher text

    Encoder.Get( EncodedText, EncodedTextLength );

    // Base 64 Decoding

    CryptoPP::Base64Decoder Decoder;
    Decoder.Put( EncodedText, EncodedTextLength );
    Decoder.MessageEnd();

    // Scratch for Base 64 Decoded cipher text

    unsigned int DecodedTextLength =  Decoder.MaxRetrievable();
    byte* DecodedText = new byte[ DecodedTextLength ];

     // cipher text is no longer Encoded 

    Decoder.Get( DecodedText, DecodedTextLength );

    // At this point, DecodedText = CipherText

    //   assert( DecodedTextLength == CiphertextLength );

    assert( 0 == ::memcmp( DecodedText, CipherText, CiphertextLength ) );

    // Scratch for Decryption

    unsigned int RecoveredTextLength = Decryptor.MaxPlaintextLength( 
        CiphertextLength );
    if( 0 == RecoveredTextLength )
    { 
        throw std::string(
            "CiphertextLength is not valid (too long or too short)"); 
    }

    // Decryption Buffer

    char* RecoveredText = new char[ RecoveredTextLength ];
    // Decryption

    Decryptor.Decrypt( rng, CipherText, CipherTextLength,
        reinterpret_cast<byte*>( RecoveredText ) );

     // Diagnostics

    std::cout << "Recovered text (
        " << RecoveredTextLength << " bytes):" << std::endl;
    std::cout << "'" << RecoveredText << "'" << std::endl;
}

ecctest3 is the driver for this portion of the article - Base64 encoding the cipher text. The results of running ecctest3 should be similar to below.

Product keys based on ECC

This (near anticlimactic) portion of the article discusses Feature Encoding. ecctest4.zip is the sample archive. Feature Encoding requires very few bytes. In the author's sample it is 4 bytes, as one unsigned int is used. Other notes on the code are:

• Message is now an unsigned int rather than a std::string
• Features is a bit mask values
• Magic is the final check to verify the Product Key is Valid

// From ecctest4


// The Features Available...

const unsigned int FEATURE_EVALUATION  = 0x01;  // 0000 0001

const unsigned int FEATURE_USE_SQUARES = 0x02;  // 0000 0010

const unsigned int FEATURE_USE_CIRCLES = 0x04;  // 0000 0100

const unsigned int FEATURE_USE_WIDGETS = 0x08;  // 0000 1000


 // 1010 1010 1010 1010 0000 0000 0000 0000

const unsigned int FEATURE_MAGIC = 0xAAAA << 16;

 // 1111 1111 1111 1111 0000 0000 0000 0000

const unsigned int FEATURE_MAGIC_MASK = 0xFFFF << 16;

int main(int argc, char* argv[]) 
{
    // User Defined Domain Parameters Omitted

    // ec, G, n, h

    CryptoPP::ECIES< CryptoPP::ECP >::PrivateKey    PrivateKey;
    CryptoPP::ECIES< CryptoPP::ECP >::PublicKey     PublicKey;
   
    PrivateKey.Initialize( ec, G, n, h );
    PrivateKey.MakePublicKey( PublicKey );

    // Encryptor and Decryptor

    CryptoPP::ECIES< CryptoPP::ECP >::Encryptor Encryptor( PublicKey );
    CryptoPP::ECIES< CryptoPP::ECP >::Decryptor Decryptor( PrivateKey );

    // Message

    unsigned int Features = 0;
    Features |= FEATURE_MAGIC;
    Features |= FEATURE_USE_WIDGETS;
    Features |= FEATURE_USE_SQUARES;

    // Runtime Sizes...

    unsigned int PlainTextLength = sizeof( Features );
    unsigned int CipherTextLength = Encryptor.CiphertextLength( 
        PlainTextLength );
    if( 0 == CipherTextLength )
    { 
        throw std::string("PlainTextLength is not valid (too long)"); 
    }

    // Scratch for Encryption

    CipherText = new byte[ CipherTextLength ];

    // Encryption

    Encryptor.Encrypt( rng, reinterpret_cast<const byte*>( &Features ),
        PlainTextLength, CipherText );

    // Base 64 Encoding

    CryptoPP::Base64Encoder Encoder;
    Encoder.Put( CipherText, CipherTextLength );
    Encoder.MessageEnd();

    // Scratch for Base 64 Encoded cipher text

    unsigned int EncodedTextLength = Encoder.MaxRetrievable();
    EncodedText = new byte[ EncodedTextLength + 1 ];
    EncodedText[ EncodedTextLength ] = '\0';

    // Fetch Base 64 Encoded cipher text

    Encoder.Get( EncodedText, EncodedTextLength );

    // Diagnostics...

    std::cout << "Encoded Text Before Tampering:" << 
        std::endl << EncodedText << std::endl;

    // Output

    if( FEATURE_EVALUATION  == (Features & FEATURE_EVALUATION ) )
    { 
        std::cout << "Evaluation Edition." << std::endl; 
    }
    if( FEATURE_USE_SQUARES == (Features & FEATURE_USE_SQUARES) )
    { 
        std::cout << "Operations are permitted on Squares." << std::endl; 
    }
    if( FEATURE_USE_CIRCLES == (Features & FEATURE_USE_CIRCLES) )
    { 
        std::cout << "Operations are permitted on Circles." << std::endl; 
    }
    if( FEATURE_USE_WIDGETS == (Features & FEATURE_USE_WIDGETS) )
    { 
        std::cout << "Operations are permitted on Widgets." << std::endl; 
    }
    std::cout << std::endl << "********************" << 
        std::endl << std::endl;

    // The folllowing introduces multiple random errors

    // Simulate guessing at a Product Key

    char ch = 'A';
    for( unsigned int i = 0; i < EncodedTextLength - 1; i += 3 )
    { 
        EncodedText[ i ] = ch++; 
    }

    // Diagnostics...

    std::cout << "Encoded Text After Tampering:" << std::endl << 
        EncodedText << std::endl;
   
    // Base 64 Decoding

    CryptoPP::Base64Decoder Decoder;
    Decoder.Put( EncodedText, EncodedTextLength );
    Decoder.MessageEnd();

    // Scratch for Base 64 Decoded cipher text

    unsigned int DecodedTextLength = Decoder.MaxRetrievable();
    DecodedText = new byte[ DecodedTextLength ];

    // Fetch Base 64 Decoded cipher text

    Decoder.Get( DecodedText, DecodedTextLength );

    // Scratch for Decryption

    unsigned int RecoveredTextLength = Decryptor.MaxPlaintextLength( 
        DecodedTextLength );
    if( 0 == RecoveredTextLength )
    { 
        throw std::string(
            "CipherTextLength is not valid (too long or too short)"); 
    }

    // Decryption Buffer

    unsigned int RecoveredText = static_cast<int>( -1 );    // 1111 ... 1111


    // Decryption

    Decryptor.Decrypt( rng, DecodedText, DecodedTextLength,
        reinterpret_cast<byte *>( &RecoveredText ) );

    // Output

    if( FEATURE_MAGIC != (RecoveredText & FEATURE_MAGIC_MASK ) )
    {
        throw( std::string("Invalid Product Key!") );
    }

    else
    {
        if( FEATURE_EVALUATION  == (RecoveredText & FEATURE_EVALUATION ) )
        { 
            std::cout << "Evaluation Edition." << std::endl; 
        }
        if( FEATURE_USE_SQUARES == (RecoveredText & FEATURE_USE_SQUARES) )
        { 
            std::cout << "Operations are permitted on Squares." << std::endl; 
        }
        if( FEATURE_USE_CIRCLES == (RecoveredText & FEATURE_USE_CIRCLES) )
        { 
            std::cout << "Operations are permitted on Circles." << std::endl; 
        }
        if( FEATURE_USE_WIDGETS == (RecoveredText & FEATURE_USE_WIDGETS) )
        { 
            std::cout << "Operations are permitted on Widgets." << std::endl; 
        }
    }
    return 0;
}

Results from running ecctest4 are shown below. ecctest4 Base64 encodes a Feature bit value rather than a string.

ecctest5 Base32 encodes the Features and formats the key.

The output above displays the execution of ecctest5. ecctest5 adds the following, shown in the code example below:

• Base 32 Encoding
• 'Pretty Printing' of the Base 32 Encoded cipher text
• Use of CryptoPP::DecodingResult to detect altered Product Keys

// From ecctest5


// Base 32 Encoding

CryptoPP::Base32Encoder Encoder;
Encoder.Put( CipherText, CipherTextLength );
Encoder.MessageEnd();

    ...

    // Pretty Print

    const unsigned int BREAK = 7;
    for(unsigned int i = 0; i < EncodedTextLength; i++)
    {
        if( 0 != i && 0 == i % BREAK )
        { 
            std::cout << "-"; 
        }
        std::cout << EncodedText[ i ];
    };
    std::cout << std::endl;

    ...

    // Decryption

    CryptoPP::DecodingResult Result =
        Decryptor.Decrypt( rng, DecodedText, DecodedTextLength,
        reinterpret_cast<byte *>( &RecoveredText ) );

    // Crypto++ Test

    if( false == Result.isValidCoding )
    { 
        throw std::string("Crypto++: Invalid Coding"); 
    }

To further reduce the size of the Product Key, this article creates a spurious authentication tag T for the cipher text object (C,V,T). Ideally, a 0 byte HMAC function would have been added to CryptoPP::DL_EncryptionAlgorithm_Xor(...). However, Microsoft's environment could not properly generate code with arrays of size 0. SecByteBlock<> caused too many C2229 compilations. errors.

As a compromise, TRUEHash was created. The hash returns the same value regardless of the message - 0x01. TRUEHash adds approximately 4 bytes of authentication tagging, T in the cipher text Object (C,V,T). Template specialization for TRUEHash is below. Note also the curve size is 58 bits, which is above Certicom's 56 bit minimum of SEC 1. 58 bits was chosen because it can be partitioned into aesthetically pleasing groups of 5.

// From ecctest6


// Crypto++ Includes

//   Expedient Implementation of a Near NULL Hash

#include "cryptlib.h"

#include "iterhash.h"


// TRUEHash

// A hash that always returns 0x01

// This is a Visual C++ workaround (possibly others)

// due to not being able to create a NULL HMAC class

// The NULL HMAC cannot compile due to a digest size of 0

// because of array sizing of 0 (major problems in SecByteBlock())

class TRUEHash : public CryptoPP::IteratedHashWithStaticTransform<
    CryptoPP::word32, CryptoPP::BigEndian, 32, 4, TRUEHash> 
{
    public:
    static void InitState(HashWordType *state)
    {
        state[0] = 0x01; return; 
    }
    static void Transform(CryptoPP::word32 *digest,
        const CryptoPP::word32 *data) 
    { 
        return; 
    }
    static const char *StaticAlgorithmName()
    {
        return "TRUE HASH";
    }
};

With the shim class in place, a new specialized ECIESNullT class< > was created. Notice the introduction of TRUEHash to DL_EncryptionAlgorithm_Xor< >.

// Crypto++ Includes

//   Template Specialization modification of

//   struct ECIES in ecccrypto.h

#include "pubkey.h"

#include "dh.h"

#include "sha.h"

#include "eccrypto.h"

#include "ecp.h"


template <class EC, 
    class COFACTOR_OPTION = CryptoPP::NoCofactorMultiplication,
    bool DHAES_MODE = false>
struct ECIESNullT
    : public CryptoPP::DL_ES<
    CryptoPP::DL_Keys_EC<EC>,
    CryptoPP::DL_KeyAgreementAlgorithm_DH<typename EC::Point, COFACTOR_OPTION>,
    CryptoPP::DL_KeyDerivationAlgorithm_P1363<typename EC::Point,
    DHAES_MODE, CryptoPP::P1363_KDF2<CryptoPP::SHA1> >,
    CryptoPP::DL_EncryptionAlgorithm_Xor<
    CryptoPP::HMAC<TRUEHash>, DHAES_MODE>,
    CryptoPP::ECIES<EC> >
{
    static std::string StaticAlgorithmName()
    {
        return "ECIES with NULL T";
    }
};

Running ecctest6 produces the following output:

And the corresponding results with a false key:

Bulk product key generation

ecctest7 exercises the ability to generate multiple cipher text Objects based on common curve parameters. Recall that ECIES parameters are the sextuple (p, a, b, Point G, n, h), where Point G is simply (x, y). This sample serves as proof of concept for the Key Generator and Key Validator.

KeyGen, as with ecctest7, exercises ECIES's property that a new, temporary key V is generated for each message M, producing a unique cipher text object (C,V,T) for each encryption operation. Note that the Decryptor has been dropped. It will exist in the validating software.

The perceptive reader should notice ECIES cipher text redundancy. The reader can further reduce the size of the generated Product Key by removing the redundant bytes after Base32 encoding before PrettyPrint.; and prepending and/or appending before the Base32 decoding, saving an additional 7 bytes of Base32 encoding. As a concrete example, a 56 bit curve produces a 31 byte key. 31 - 7 = 24, which groups aesthetically into six groups of four (xxxx-xxxx-xxxx-xxxx-xxxx-xxxx). Note that the additional bytes are required for decoding, but do not necessarily need to be keyed by the user.

The following is the Product Key generating program.

// From KeyGen (Key Generator)


// The Features Available...

const unsigned int FEATURE_EVALUATION  = 0x01;  // 0000 0001

const unsigned int FEATURE_USE_SQUARES = 0x02;  // 0000 0010

const unsigned int FEATURE_USE_CIRCLES = 0x04;  // 0000 0100

const unsigned int FEATURE_USE_WIDGETS = 0x08;  // 0000 1000

const unsigned int FEATURE_MAGIC = 0xAAAA << 16;
const unsigned int FEATURE_MAGIC_MASK = 0xFFFF << 16;

// Crypto++ Includes

// Expedient Implementation of a Near NULL Hash

#include "cryptlib.h"

#include "iterhash.h"


// TRUEHash

// A hash that always returns 0x01

class TRUEHash : public CryptoPP::IteratedHashWithStaticTransform<
    CryptoPP::word32, CryptoPP::BigEndian, 32, 4, TRUEHash> 
{
    public:
    static void InitState(HashWordType *state)
    { 
        state[0] = 0x01; return; 
    }
    static void Transform(CryptoPP::word32 *digest,
        const CryptoPP::word32 *data) { return; }
    static const char *StaticAlgorithmName()
    {
        return "TRUE HASH";
    }
};

// Crypto++ Includes

// Template Specialization modification of

// struct ECIES in ecccrypto.h

#include "pubkey.h"

#include "dh.h"

#include "sha.h"

#include "eccrypto.h"

#include "ecp.h"


template <class EC, 
    class COFACTOR_OPTION = CryptoPP::NoCofactorMultiplication,
    bool DHAES_MODE = false>struct ECIESNullT
    : public CryptoPP::DL_ES<
        CryptoPP::DL_Keys_EC<EC>,
        CryptoPP::DL_KeyAgreementAlgorithm_DH<typename EC::Point,
        COFACTOR_OPTION>,
        CryptoPP::DL_KeyDerivationAlgorithm_P1363<typename EC::Point,
        DHAES_MODE, CryptoPP::P1363_KDF2<CryptoPP::SHA1> >,
        CryptoPP::DL_EncryptionAlgorithm_Xor<CryptoPP::HMAC<TRUEHash>,
        DHAES_MODE>,
        CryptoPP::ECIES<EC> >
{
    static std::string StaticAlgorithmName()
    {
        return "ECIES with NULL T";
    }
};

// Crypto++ Includes

//   Required for main(...)

#include "cryptlib.h"

#include "osrng.h"      // Random Number Generator

#include "eccrypto.h"   // Elliptic Curve

#include "ecp.h"        // F(p) EC

#include "integer.h"    // Integer Operations

#include "base32.h"     // Encodeing-Decoding

#include "nbtheory.h"   // ModularSquareRoot(...)


int main(int argc, char* argv[]) 
{
    byte* CipherText = NULL;
    byte* EncodedText = NULL;
    CryptoPP::AutoSeededRandomPool rng;

    try 
    {
        // PlainText (Message M)

        unsigned int Features = 0;
        Features |= FEATURE_MAGIC;
        Features |= FEATURE_USE_WIDGETS;
        Features |= FEATURE_USE_SQUARES;

        // Runtime Sizes...

        unsigned int PlainTextLength = sizeof( Features );
 
        // User Defined Domain Parameters

        CryptoPP::Integer p("214644128745822931");
        CryptoPP::Integer a("0");
        CryptoPP::Integer b("-23719602096934623");
        CryptoPP::Integer n("71548043092139563");   // R from ECB

        CryptoPP::Integer h("3");                  // S from ECB, must be <= 4

        CryptoPP::Integer x("-35255913743814615");
        CryptoPP::Integer y("-71911853159754273");

        PrintCurveParameters( p, a, b, x, y, n, h ); std::cout << std::endl;

        CryptoPP::ECP ec( p, a, b );
        ECIESNullT< CryptoPP::ECP >::PrivateKey    PrivateKey;
        ECIESNullT< CryptoPP::ECP >::PublicKey     PublicKey;

        // Curve Initialization

        PrivateKey.Initialize( ec, CryptoPP::ECP::Point( x, y ), n );
        PrivateKey.MakePublicKey( PublicKey );
        ECIESNullT< CryptoPP::ECP >::Encryptor Encryptor( PublicKey );

        // No Need for ECIESNullT< CryptoPP::ECP >::Decryptor

        // in the Key Generator. The decrypting software will employ it.

        const unsigned int ITERATIONS = 128;
        for(int i = 0; i < ITERATIONS; i++ ) 
        {
            unsigned int CipherTextLength = Encryptor.CiphertextLength( 
                PlainTextLength );
            if( 0 == CipherTextLength )
            { 
                throw std::string("plaintextLength is not valid (too long)"); 
            }

            // Scratch for Encryption

            CipherText = new byte[ CipherTextLength ];
            if( NULL == CipherText )
            { 
                throw std::string( "CipherText Allocation Failure" ); 
            }

            // Encryption

            Encryptor.Encrypt( rng, 
                reinterpret_cast<const byte*>( &Features ),
                PlainTextLength, CipherText);

            // Base 32 Encoding

            CryptoPP::Base32Encoder Encoder;
            Encoder.Put( CipherText, CipherTextLength );
            Encoder.MessageEnd();

            // Scratch for Base 32 Encoded cipher text

            unsigned int EncodedTextLength = Encoder.MaxRetrievable();
            EncodedText = new byte[ EncodedTextLength + 1 ];
            EncodedText[ EncodedTextLength ] = '\0';

            // Fetch Base 32 Encoded cipher text

            Encoder.Get( EncodedText, EncodedTextLength );

            // Pretty Print 

            const unsigned int BREAK = 5; 
            for(unsigned int i = 0; i < EncodedTextLength; i++)
            {
                if( 0 != i && 0 == i % BREAK )
                { 
                    std::cout << "-"; 
                }
                std::cout << EncodedText[ i ];
            }
            std::cout << std::endl;

            // Cleanup

            delete[] CipherText;
            delete[] EncodedText;
        }

        catch( CryptoPP::Exception& e ) 
        {
            std::cerr << "Crypto++ Error: " << e.what() << std::endl;
        }

        catch( std::string& s ) 
        {
            std::cerr << "Error: " << s << std::endl;
        }

        catch (...) 
        {
            std::cerr << "Unknown Error" << std::endl;
        }
        return 0;
    }
}

Product key validation

KeyVal is the driver program that validates Product Keys. The reader should choose a Product Key from this article and use it as a parameter to Decryptor.Decrypt(...) after removing the Base32 encoding.

The reader should be aware of the side effects of casting a byte[] to an unsigned int*, as in excerpts from ecctest7 below. It is a C++ side-effect, not a Crypto++ effect.

// Conversion for Convenience

// Don't be fooled:

// RecoveredFeatures = static_cast<unsigned int>( *RecoveredText );

// only converts byte[ 0 ], not bytes[ 0 - 4 ]

// And you'll blame the mistake on Encryption\Decryption...

unsigned int RecoveredFeatures =
    *(reinterpret_cast<unsigned int*>( RecoveredText ) );

Securely saving key or activation state to the registry

Product Keys and Program Activation states can be securely saved to the Windows Registry. Please see An AES Encrypting Registry Class for a discussion and implementation.

Summary

Although this article does not present a concrete implementation of an Optimal Compact Product Key System, the groundwork for such a system has been outlined. By using ECIES as specified in IEEE 1363 and ANSI X9.63 and implemented in Crypto++, one can side-step most patent issues involved with Elliptic Curve Cryptography. However, there may be other implications in the application of ECC to the realm of Product Keys and Product Activations.

Acknowledgments

• Wei Dai for Crypto++ and his invaluable help on the Crypto++ mailing list
• Dr. A. Brooke Stephens who laid my Cryptographic foundations
• Marcel Martin for his work on ECB to facilitate this Article and critiques of the Article's EC description correctness
• Jason Smethers for his Elliptic Curve Sample, which served as an early basis for this article (see ecctest1)

Revisions

• 06.01.2007 Article edited and moved to the main CodeProject.com. article base
• 12.13.2006 Removed Setup Program Section
• 12.13.2006 Removed User Interface Design Consideration Section
• 12.11.2006 Updated Article Citation Links
• 11.26.2006 Added reference to Product Activation Based on RSA Signatures
• 11.26.2006 Added Generated Assembly Code of string::data() Cast
• 11.21.2006 Added reference to Product Keys Based on the Advanced Encryption Standard (AES)
• 11.18.2006 Uploaded DPVal (Domain Parameters Validation Program)
• 11.18.2006 Added Certicom requirement of a, b, x, y be in the interval [0, p-1]
• 11.16.2006 Updated Article Citation Links
• 11.16.2006 Added Note on Downloads
• 11.16.2006 Added Note on Reverse Engineering and Temporary Cipher Text Key
• 11.14.2006 Original Release

Checksums

ecctest1.zip
MD5: E3F55FCA3B94C0BB9DD69805E14C1D8C
SHA-1: 5E367F3FBF68CC0CF623C1CC774B64BE4A77F00E
SHA-256: 6EAB74049D7832A03049AFBFD5F951CD7774DFC03F6826D0EF92C0AC4E7053DE

ecctest2.zip
MD5: 190EA42556D3896D118D58C156BD4E8F
SHA-1: 4CD210D92D534B267C21E30F40B48407BC7310FC
SHA-256: C2042E1994ED602164E944FC8B42A9C20231D14E4D49284D17D91A0F37606405

ecctest3.zip
MD5: 8A1A8CD7466E802DDEBE83564F16AA2A
SHA-1: D15C38A00E10C44545B33B430983DD3E3DB1AF17
SHA-256: C7691BF5F2E4D74938C0DCF073F551EB473166E6F70317890CCEE275178EF046

ecctest4.zip
MD5: 3EDE37CBCBACE34B5915439A7B14EFC8
SHA-1: 5F01BAAF9BE1A8B5756C751E8D454C31EA266228
SHA-256: A4E8A74668979A2D633B77AB8432BB156069224A303EE572534DF8C16E9BDEAF

ecctest5.zip
MD5: D7FB9BB017722AD616701CC8D8AB09F0
SHA-1: C83297CDFFD756B8367D7998A6981CA175A43A5D
SHA-256: 748B06AE1BFDEB2522AE3714AC2D3EC7F5067DD8DF5A75119EA4995E30D940F6

ecctest6.zip
MD5: 8B8C65D08D51DBD3B7C02CAD5F95ABEA
SHA-1: 22C92DB0B114F4BA7B3431E7FE0CCA178813970C
SHA-256: B60925480D6342FEAE2E70FE4EC1EAC052443925E0E74EFF5D84B4D9EF3149C6

ecctest7.zip
MD5: D6789D5492CD7AB663E3082202465C25
SHA-1: 13696CF1FC6FCE5EE0FEFDE147C35CFCA28D1A2B
SHA-256: 4F68DD905D1AF9608FE72C29A3D4771EE7C0F4B9858408817F60D3154226712D

ecctest1to7.zip
MD5: 531D016FA1FB684B24609C0DC89756B5
SHA-1: 692E343B98446BD8CE5031B80F1F8B25BEF06177
SHA-256: 3836CF6917939E4EEA27D2EEA995A03FB8E71203607B66A9085E997FAD48AFA5

ecc160test.zip
MD5: 35B64712131821F4755D8D435B91A5DD
SHA-1: CC999725B434B627983F0BE0DCA603B38086E528
SHA-256: 7F43C899734F0E389F9C7B1496576F2C8C1569390FEFE23D23F40F43DB37BB07

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 43 (Total in Forum: 43) (Refresh) FirstPrevNext

C# Sk8tz 2:18 18 Mar '09   Do you perhaps have a C# version, I need one ? Sk8tZ Sign In·View Thread·PermaLink That's not the way to do it! rbtx99 6:00 28 May '08   This article is a great example in using ECC/Crypto++ but is definitely not the right way to produce secure product activation codes. Product activation codes must be signed using the private key which should be kept private! The application then verifies them using the public key. Signing with the public key and verifying with the private as this article suggests only offers “security through obscurity” and not via secure cryptography since the public key can be calculated from the private. modified on Wednesday, May 28, 2008 1:40 PM Sign In·View Thread·PermaLink 4.40/5 (2 votes) Re: That's not the way to do it! Jeffrey Walton 19:49 28 May '08   Hi -A, > This article is a great example in using ECC/Crypto++ This was the main objective of the article. I framed it in a Product Key article to make it interesting. Also, Marcel's ECB is a very nice tool, so I wanted to bring attention to it. > product activation codes... Not an activation code... It's a product key (slight difference in Software Assurance circles). It would later need to be verified. > Product activation codes must be signed using the > private key which should be kept private! The application\ > then verifies them using the public key. The system does not use signing. Don't confuse ECIES with a signature system because it offers an authentication tag. > Signing with the public key and verifying with the private... Not only is it not suggested, 'signing with the private key' is not a cryptographic operation. > as this article suggests... Again, I definetly did not suggest it signing with the private key. > secure cryptography since the public key can be calculated > from the private. We do agree on a few points I've prototype lot's of code, including signing. Using Signatures is a trade off between cryptographic functionality and aestetics. For example, signature schemes are awful in the are of channel efficiency (i.e., 2 bytes in, 4 bytes out). The ideal system would be a Recovery system (versus Appendix). When I tested PSSR, signing 4 bytes using a 384 bit modulus (terribly weak), produced 85 bytes of Base32 encoded ciphertext. I don't know anyone who would be willing to key in 85 bytes as a product key. Other systems do exist, such as Quartz, which offer small signatures but do not have recovery. I wrote to the authors of Quartz about licensing and implementation details for this article. I never heard back from any of them. This leaves two systems: symmetric and asymmetric. Both suffer from the fact that the secret is revealed (either the shared or private key) during analysis. To nuetralize this (and the generator which would follow), we would use a Product Activation system. The cracker will [almost] never gain control of the server to issue valid tickets based on a key. In the end, if we pair activation with symmetric or asymmetric, we are assured our keys [a collection of which someone will certainly have] do not leak information - not everyone is a cracker. The crackers, who want to feather their cap with a keygen will not be able to get their keys validated (though they will create well formed keys). Jeff Sign In·View Thread·PermaLink Re: That's not the way to do it! ksc91u 9:48 31 Jan '09   http://groups.google.com/group/cryptopp-users/browse_thread/thread/8a96d95ac6cf99bc[^] If you don't want hackers to get private key->public key->keygen. Maybe you can hide base point G in the private key. Please see if my post helps. Sign In·View Thread·PermaLink DPVal not compiling veritas guy 8:09 11 Mar '08   The DPVal program you've included doesn't compile. Should the if statements be inside the loop? bool bResult = true; for( unsigned int B = 1; B < 20 && true == bResult; B++ ) { bResult |= ( 1 != CryptoPP::a_exp_b_mod_c( p, B, p ) ); } if( true == bResult ) { std::cout << "p^B != 1 (mod n) for any 1 <= B < 20... OK" << std::endl; } else { std::cout << "** p^B = 1 (mod n) for B = " << --B << " **" << std::endl; } Also, could you give us an example of when ECC parameters wouldn't be valid? Sign In·View Thread·PermaLink Re: DPVal not compiling Jeffrey Walton 8:16 11 Mar '08   Hi Veritas guy, veritas guy wrote: The DPVal program you've included doesn't compile. The location of an if statement should not cause a compilation problem. What compilation errors are you receiving? veritas guy wrote: Also, could you give us an example of when ECC parameters wouldn't be valid? Pick a curve where the field is not prime. Jeff Sign In·View Thread·PermaLink Re: DPVal not compiling veritas guy 8:45 11 Mar '08   It says B is an undeclared identifier. Because 'B' is a local variable declared inside the for loop, for( unsigned int B = 1 and then it's used (decremented for whatever reason) in the else statement outside the loop: << --B << Sign In·View Thread·PermaLink Re: DPVal not compiling Jeffrey Walton 8:50 11 Mar '08   Hi veritas guy, veritas guy wrote: It says B is an undeclared identifier. Because 'B' is a local variable declared inside the for loop I believe I worte that with VS7.0 or 7.1. I think VS8.0 is a bit more strict. Move the B outside of the loop... Jeff Sign In·View Thread·PermaLink asymetric keys Atuin the Great 13:38 8 Feb '07   I like the tutorial, but I have some questions: 1. Normally in asymmetric encryption, you use the private key to sign a key/license and only put the public key into the application to validate that key/license. In these examples hoewever, the private key is used to decrypt the key, and is thus known in the client application. 2. As the parameters which define the elliptic curve are (in plain-text) in the client application, they could be extracted easily. Why use asymmetric encryption if you have to put all parameters of the curve you use inside the client application? The idea of asymmetric encryption, where the private key stays hidden, looks totally defeated. I'm probably missing something here, could you comment on this? Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: asymetric keys Jeffrey Walton 9:18 9 Feb '07   Hello Atuin, I'll do the best I can. Atuin the Great wrote: 1. Normally in asymmetric encryption, you use the private key to sign a key/license and only put the public key into the application to validate that key/license. I'm not aware of any Standard Practice. Researching on the web and the library have not turned up too much reading for me. This includes patenet searches. This was part of the motivation for placing something out there. Atuin the Great wrote: Normally ... you use the private key to sign a key/license Can you offer a reference? I'd very much like to read it. I'm especially interested in the 'what' - what others recommend encrypting or signing. Atuin the Great wrote: In these examples hoewever, the private key is used to decrypt the key, and is thus known in the client application. The desired solution is PSSR, but PSSR produces Product Keys which are too large for a human user to key. Some metrics using RSA can be found PSSR (RSA) Metrics [^]. In the cited post, Jens Peter Secher offers using a modified MD5 (using 32 bits IIRC), which save approximately 80 bits on the message length. Atuin the Great wrote: 2. As the parameters which define the elliptic curve are (in plain-text) in the client application Again, prototype code to demonstrate the system. I think placing the curve paprameters in the EXE as encrypted binary parameters would have lessened readability. Also, to be technically correct, the curve can stay plaintext, but one would guard the Point. The whole problem of ECC is based on discrete log and the scalar multiply. Atuin the Great wrote: The idea of asymmetric encryption, where the private key stays hidden, looks totally defeated. By using ECC (or RSA, or even a Symmetric Cipher), the keys do not leak information. So they don't fall to various ciphertext or plaintext attacks. Again, you might want to look at PSSR (or any Signature Scheme with Recovery) for a solution. You may also want to look at a few of the other reader's comments below. Jeff Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: asymetric keys Jeffrey Walton 8:59 28 May '07   Hi Autin, You might also like Tamper Aware and Self Healing Code[^]. Jeff Sign In·View Thread·PermaLink about ECB fengrxr007 23:32 28 Nov '06   Hi, Jeffrey, tons of thanks for this great job. it's really really nice. BTW, http://www.ellipsa.net/ seems down. I can not open it. could you send me a copy of ECB? best regards fengrxr@gmail.com Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: about ECB Jeffrey Walton 6:05 29 Nov '06   Hi fengrxr007, It appears to be up. BTW, I wanted to include ECB v.7 as a download just in case, but Marcel wanted otherwise (I can't blame him). Jeff Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: about ECB fengrxr007 16:39 29 Nov '06   I still can not open the site for ECB, could you send me a copy of the ECB version 1.0.0.6 ? I want to test some new parameters. thanks in advance. fengrxr@126.com Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: about ECB Jeffrey Walton 9:52 5 Dec '06   Hi, Please write to Marcel at info@ellipsa.net. He asked that I not distribute his application. Jeff Sign In·View Thread·PermaLink Re: About ECB Jeffrey Walton 8:59 28 May '07   Hi Fengrxr, You might also like Tamper Aware and Self Healing Code[^]. Jeff Sign In·View Thread·PermaLink Am I missing something? Kanangra 17:48 28 Nov '06   Thanks for the article. It seems you are encrypting your keys using the ECC Public Key and then decrypting them using the Private Key. However if I have the parameters for the Private Key then I can generate a valid Public Key from it. So if I have the necessary parameters for the private key to decrypt my license embedded in my application someone can disassemble my app and simply create a public key. To test this I modified your KeyVal app which decrypts a key and simply inserted the following code segment into your KeyVal code after initializing the Private key. The added code generates a public key from the private key then uses that to encrypt a license key. The generated key then validates without any problems. Am I missing something? ///### Cracking // { byte* CipherText = NULL; byte* EncodedText = NULL; // PlainText (Message M) unsigned int Features = 0; Features |= FEATURE_MAGIC; Features |= FEATURE_USE_WIDGETS; Features |= FEATURE_USE_SQUARES; // Runtime Sizes... unsigned int PlainTextLength = sizeof( Features ); ECIESNullT< CryptoPP::ECP >::PublicKey PublicKey; PrivateKey.MakePublicKey( PublicKey ); ECIESNullT< CryptoPP::ECP >::Encryptor Encryptor( PublicKey ); unsigned int CipherTextLength = Encryptor.CiphertextLength( PlainTextLength ); if( 0 == CipherTextLength ) { throw std::string("plaintextLength is not valid (too long)"); } // Scratch for Encryption CipherText = new byte[ CipherTextLength ]; if( NULL == CipherText ) { throw std::string( "CipherText Allocation Failure" ); } // Encryption Encryptor.Encrypt( rng, reinterpret_cast( &Features ), PlainTextLength, CipherText ); // Base 32 Encoding CryptoPP::Base32Encoder Encoder; Encoder.Put( CipherText, CipherTextLength ); Encoder.MessageEnd(); // Scratch for Base 32 Encoded Ciphertext unsigned int EncodedTextLength = Encoder.MaxRetrievable(); EncodedText = new byte[ EncodedTextLength + 1 ]; EncodedText[ EncodedTextLength ] = '\0'; // Fetch Base 32 Encoded Ciphertext Encoder.Get( EncodedText, EncodedTextLength ); const unsigned int BREAK = 5; for(unsigned int j = 0; j < EncodedTextLength; j++) { if( 0 != j && 0 == j % BREAK ) { std::cout << "-"; } std::cout << EncodedText[ j ]; }; std::cout << std::endl; PrettyPrintEncodedText = (char*)EncodedText; // Cleanup delete[] CipherText; delete[] EncodedText; } Sign In·View Thread·PermaLink 5.00/5 (1 vote) Re: Am I missing something? [modified] Jeffrey Walton 6:15 29 Nov '06   Hi Kanangra, Physical security is always a problem with a distributed binary. To mitigate, look st SecByteBlock. The NSA solves the Physical Security problem by locking a computer in a room, and placing an armed guard at the door. > someone can disassemble... The fellow who can do this (remember, they have to deal with the Crypto++ ECC internal representation as well) is probably going to purchase the software. They may be able to patch the binary (this is the most likely attack vector), but I don't think they will produce a Key Generator. To convince yourself, I can send you a hardened version of the EXE (SecByteBlock with a limited lifetime on Private Key exposure. I'll observe due diligence, and encrytpt it. It will _only_ add 1 level of obfuscation, but the parameters won't be hanging out there in plain text.) BTW, I don't believe in 'security through obscurity'. I try to do the best I can with what I have available. Jeff Sign In·View Thread·PermaLink Re: Am I missing something? altera 8:13 29 Nov '06   Hi Jeff, Thanks for this great article. I studied it closely yesterday and came to the same conclusion as the OP. Having the private key inside an application is a big mistake. Someone *WILL* hack it and create a key generator. I've seen it happen to one of my applications. Which basically leaves us with the Signature with Message Recovery option. Crypto++ seems not to support that with ECP. I've asked about it on the mailing list. http://www.mail-archive.com/cryptopp-list@eskimo.com/msg02974.html Hopefully they'll have some ideas for us. Sign In·View Thread·PermaLink 4.50/5 (3 votes) Re: Am I missing something? Jeffrey Walton 9:58 5 Dec '06   Hi Altera, The other thing that is note worthy: The setup program would use the private key. The main program would not. Hopefully when the cracker fires up SoftIce, the setup program will not be the target. I did not want to digress to a Cracker/Protectionism argument. Fravia give plenty of ideas if you can find his archive of essays. Jeff Sign In·View Thread·PermaLink Re: Am I missing something? Jeffrey Walton 0:24 13 Dec '06   Hi altera, > Someone *WILL* hack it and create a key generator... Don't feel bad - I used NuMega's SoftICE (and other products such as BoundsChecker) for years because of KeyGens floating around. > Someone *WILL* hack it and create a key generator... Physical Security... Product Activations can help mitigate: even if a key generator is developed, if the keys are not in the database, the Activation Server can refuse to sign. I firmly believe the attack vector will be patching the application so that IsRegistered() or IsWidgetAvailable() always returns true. I don't think a good grasp will be attained until the OS provides support - enforcing checksums, not allowing new (arbitrary) checksums to be written into a header, and the like. But Microsoft seems to suffer from a different flavor of piracy than those of independent developers and KeyGens. > Hopefully they'll have some ideas for us. Responses are hard to get at times (as you can see). I try to answer what I can, but I'm not an expert. It would be nice if Wei could participate more. I was hesitant to let the articles go (ECIES and AES) because of the Physical Security problem. What we accomplish in using a proven underlying technology: we don't have a weak scheme (such as a linear XOR transformation), and the keys do not leak information. These keys will not fall to differential cryptanalysis. I apologize I could not be of more help. Jeff Sign In·View Thread·PermaLink Re: Am I missing something? Jeffrey Walton 9:01 28 May '07   Hi Altera, You might also like Tamper Aware and Self Healing Code[^]. Jeff Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Am I missing something? Kanangra 11:32 29 Nov '06   But the whole point of using public key cryptography is that it (potentially) allows you to avoid embedding the parameters you need to generate licenses in the application. If this is not the case you might as well use DES - it will be a whole lot simpler to implement and just as secure. Sign In·View Thread·PermaLink 5.00/5 (3 votes) Re: Am I missing something? Jeffrey Walton 10:00 5 Dec '06   Hi Kanagra, The other thing that is note worthy: The setup program would use the private key. The main program would not. Hopefully when the cracker fires up SoftIce, the setup program will not be the target. I did not want to digress to a Cracker/Protectionism argument. Fravia gives plenty of ideas if you can find his archive of essays. Jeff Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Am I missing something? Jeffrey Walton 8:58 28 May '07   Hi Kanangra, You might also like Tamper Aware and Self Healing Code[^]. Jeff Sign In·View Thread·PermaLink 1.00/5 (1 vote)

Last Visit: 18:58 9 Jul '09     Last Update: 18:58 9 Jul '09 12 Next »