How to secure cryptography keys

Question

5.00/5 (1 vote)

See more:

, +

I have an application which will be used by various users, when user will start using the application it will generate one license file(encrypted) at the location where it is getting installed, and for each time application runs it will decrypt the file, will validate all parameters and update few of them according to the result of validation and will encrypt the updated file.

Here is one real problem giving pain, that every time the application runs it needs encryption keys(AES) to encrypt and decrypt, and the key is hard-coded within my .NET dll. so there is a possibility that user can extract the key and change the license parameters to run the application.

So my concern is how to protect the file from being tampered? Is there any way that i can put few of important license parameters some other location instead of keeping it in file? How to keep the encryption keys secure and safe from fraudulent activities? Application is in purely offline.

Kindly give me your valuable suggestion and insights.

Thanks in advance

Posted 15-Nov-14 3:40am

Debanshu Chatterjee

Add a Solution

Comments

[no name] 15-Nov-14 10:23am

E.g. bind your key against some System properties like mac adress, hard disk id and so on.

+ Little bit more safe
- Needs more Administration from your side. Not comfortable for customer to Transfer your app to other pc

[no name] 15-Nov-14 10:29am

Verify your keys over a server connection as such TCP/UDP. You could encrypt the contents of the keys from the server; so you can scrap the idea of storing it in a file. I currently sell software to allow you to do this.

gggustafson 15-Nov-14 10:40am

1. OP specifically stated that the application was offline.

2. Do not commercialize this site.

[no name] 15-Nov-14 10:51am

1.) && 2.) = 5 :)

Philippe Mori 15-Nov-14 22:45pm

Depending on the application it might be easier to simply bypass validation code altogether particulary if the application itself is not obfuscated.

As other have mentionned, if the information is bind to a specific machine then even it might be hard to find information required even if you know the key as you won't know the information to write on another PC (given that information is not in plain text so that the user don't know which information was used and how it was encoded particulary. If the encoding is done remotly, then it become much harder to bypass the system as you won't be able to try it on a lot of system (since you would have to pay for each activation).

3 solutions

Solution 2

As you might have noticed, most of the manufacturers use the following architecture/flow for licensing:
1) User gets a generic installer, without any licensee related information within. He/she installs the application.
2) There is a code within and/or in a separate bundled application, that retrieves the system specific information like the ones OriginalGriff has written about (have a look here: How To Get Hardware Information (CPU ID, MainBoard Info, Hard Disk Serial, System Information , ...)[^])
3) Now you have several ways to send send this data to you (any or all).
3a) Online - but you say it is offline
3b) Via a web page: you prepare a file with those information (either encrypted or not actually makes no difference, but should have defined a structure, can be an XML for example), the user saves it to a pendrive, and uploads it to your server on an online machine
3c) You make a 10-20 character long machine specific hash from that information, and which can be manually entered on your online site
3d) 3b-3c but you ask the user to send the info to you by email
4) You add some fixed data (salt) to the information you got and generate a hash. This hash is the license code itself.
5) You send this hash back on the channel of your or user's choice
6) In case of 3b-3c you need to ask the user to enter the license code in your application, and you store it in the registry. In case of 3a this can be done automatically.
7) On application start, you gather again all info, add the same salt, generate the hash, and compare. If matches, the license is valid.
8) If there is an expiracy, you should store it separetely in the registry and on your side also, but when generating and validating the hash, you have to add that too.
[Update:]
You can add a higher level of protection using PKI, but won't really be usable as manually enterable code.
9) Generate a publik key-private key pair. Add the public key to teh code, and keep the private code for you.
10) When generating the license code, sign it with your private key, and attach the signature (you can combine in a single structured file)
11) When reading the license code, validate the attached signature first using the public key in your code. If the validation fails, no need to check further.

[Update 2:]
You can not delegate your duty to provide the actual license to the other end of the chain. So if your intention was never to interact in any form with the licensee, than that has no sense. Even if you can protect the file from being tampered, the starting point of your assumtion is wrong: the user can use the original installer to install your application as many different systems as he wants. And that can't be made on-time only, that one can't destroy itself and all it's copies after first installation.

Posted 15-Nov-14 5:32am

Zoltán Zörgő

Updated 15-Nov-14 11:52am

v3

Comments

gggustafson 15-Nov-14 13:34pm

So you are suggesting that the application license key (hash) be stored in the registry? (Note that is a file.)

Zoltán Zörgő 15-Nov-14 14:59pm

Yes, but I don't understand your note. The registry is actually not a single file, but that does not matter. For the salt you can use for example the hash of one of your code dll-s, or the version number of your application. This way you can also link the license to version - but in such case you have to take other things in consideration.

gggustafson 15-Nov-14 16:55pm

OP asked for a method other than storing the license in a file.

Admittedly, the registry is a hive but it is still accessed just like a directory structure. I do not see a response to OP's original question.

Zoltán Zörgő 15-Nov-14 17:20pm

I don't get your point. OP's question has nothing to do with how the license information is accessed, but the concerns that a file/any anything like a file can be tampered. That's true. Security through obscurity does not work. Thus trying to hide something (or trying to prevent tampering a file) on client side is not a good approach. But see my addition.

gggustafson 15-Nov-14 17:35pm

Please see my solution. I think we are discussing a non-existent point.

Zoltán Zörgő 15-Nov-14 17:52pm

Yes, yours :)

Solution 3

I fear that you have imposed a restriction (offline) that causes your question to be answered by "you can't". Your question intrigued me and as a result of a rather extensive search of Internet sources, I have now concluded that you need to admit the use of an online service to achieve your ends.

Of particular interest is Adding Licensing to Your App[^]. I realize that this reference applies directly to the development of a certain class of mobile applications; however, I believe that you can modify the reference's contents to meet your needs.

There is another option and that is to purchase a license for a licensing scheme.

Sorry I can't be of further help. Good luck.

Posted 15-Nov-14 11:32am

gggustafson

Comments

Zoltán Zörgő 15-Nov-14 17:42pm

Being offline does not mean that there is never and absolutely no communication between the two parties. If this is the actual requirement, than you'r right. But I don't see this as excluded in OP's original post.

Debanshu Chatterjee 16-Nov-14 4:53am

Actually the product will be used where internet connection is restricted, so there are no way to generate random keys each time application runs, I have to keep same key for the applicaton's lifetime because every time application will run it will update the license file.

gggustafson 16-Nov-14 12:17pm

Do you supply an installation disk for the product? Do you have control over what is in each installation? If so, you might consider a method similar to that used by Microsoft.

1. Generate a random 20 character alphanumeric license key (all uppercase, omitting characters that might be confused such as "I" (eye), "1" (one), "O" (oh), "0" (zero), etc.).
2. Within the distribution media, place a hidden file that contains an encrypted value of that license key.
3. In the installation documentation, display the unencrypted license key.
4. During installation, query the user for the unencrypted license key displayed in the installation documentation.
5. Compare the encrypted license key in the hidden file with an encrypted version of what the user entered.
6. If the two are the same, continue with installation; otherwise, re-query the user for the license key.

The installation media for each issuance of the product will have different keys and contents. The process protects you against a thief who obtains your product installation disk but not the media documentation.

If your sales process includes a telephone call, then you can secure your product for an individual machine by adding machine specific information as a salt to the license key. That way, even if a thief has a copy of the complete media, the product cannot be installed on any machine other than the one originally targeted. For example, the command line wmic command provides information about the machine on which it is executed.

The user enters the command wmic baseboard list brief in a command window and provides your representative with the serial number. On my machine, executing that command displays

Manufacturer Model Name Product SerialNumber SKU
Intel Corporation Base Board D945GCL BTCL70900KXZ

You can obtain a list of switches and aliases from wmic /?.

Now the distribution media contains a machine specific distribution.

Hope that helps.

Debanshu Chatterjee 17-Nov-14 4:50am

@gggustafson
Thanks for such a quick reply. Even i was thiknking doing like the way you said. :)

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2014-11-15T04:33:00

Solution 1

Simple: don't encrypt. If you don't encrypt, there is no key, so no way to work back.
Instead, use Hashing - SHA is good - it converts the "licence info" you collect from the PC into a specific code which you then compare against the stored value.

The key is long enough (and random looking enough) to be impossible to work out what it should be for a different computer. And me? I'd make it look encrypted with a pile of random stuff which my code ignored, and a header saying "DES-3512" to get them trying to decrypt unencrypted data...

Posted 15-Nov-14 4:33am

OriginalGriff

Comments

gggustafson 15-Nov-14 10:47am

I agree with the intent.

However, for an application hosted on many machines, I do not think you have answered the question - where to store the license information against which you make the comparison? I can only think of an installer process tat would imbed the "license info" into a location within the dll. Then we know what the location is. However, that method does not allow dynamic distribution of a license.

OriginalGriff 15-Nov-14 10:57am

You don't - you gather information about the machine it's allowed to run on (Processor ID, HDD serial, MAC, that kind of details, combine it with the public expiry date (or whatever you are using) and generate a hash key from that. Then each time it runs, you gather the same info, and generate a new hash key: if they match all is fine. If they don't...

gggustafson 15-Nov-14 11:00am

And how do you know that "this machine" is one on which the application is allowed to run? And once you know that, how to you store that information securely - the OP's original question?

OriginalGriff 15-Nov-14 11:11am

That's up to him and his company: I'd assume that (since this is offline) they have to call with the relevant info string and a unique ID on the software packaging.

But I can't tell him what to do about the physical security of his installation media! :laugh:

gggustafson 15-Nov-14 13:34pm

You still have not answered OP's original question - how to store the key against which to make the comparison.

OriginalGriff 15-Nov-14 13:56pm

I assume that anyone who can create an app that needs a licence can probably cope with reading and writing files...

[no name] 15-Nov-14 11:13am

I would imagine that the Licensee would be issued a license based on his machine hardware by the license provider. That's the only way this can be done offline by this solution. Which is why i rated it 5. There is simply no way to do secure licensing offline.

This is why I suggested earlier to use an encrypted service to handle the encryption from an online server which would be the best way by far.

If the OP wants an offline method, the only way to do it is by this solution and providing the license directly to the licensee based on the users credentials.

gggustafson 15-Nov-14 13:40pm

I disagree. Sometime in the prehistory of computing (1998) I architected a firewall for a local company. The administrative functions were performed on a Windows based machine. The firewall itself ran under Linux. However, under C and Linux, thanks to a modifiable OS, we stored the key within the executable of the firewall itself. I realize that self-modifying code is anathema, but, it solved an otherwise difficult problem. The software was proprietary even though it was freely distributed to our customers.

Still, I think OP would like to avoid self-modifying software. And as a result, I see no answer that has been so far proposed.

[no name] 15-Nov-14 11:03am

Great answer, you got my 5+

Debanshu Chatterjee 16-Nov-14 4:34am

@gggustafson,
What do you mean by keeping secret key within the executable, does it really give protection from fraudulent injection of malicious code? Please clarify, thanks.

OriginalGriff 16-Nov-14 4:38am

He's talking about code which modifies it's own executable file in order to store the secret key within it.
It's an old idea, but it's seriously frowned upon these days - particularly by anti-virus packages which tend to assume that your app is a virus...
I wouldn't recommend it.