|
0x01AA wrote: I don't agree. If I encrypt the hash with my private key, the application can still check the encrypted hash with it's public key. Signing is a bit more complex than hashing and encrypting. Yes, your app can decrypt the hashcode and verify, but what's the use? Most Linux-apps simply state the MD5 publicly, just because it doesn't need to be a secret
0x01AA wrote: I agree completely. That is the other part which makes me headache, because I think it ends always more or less with a final something like if(lic) You're thinking in terms of security. Think of the worst thing you could encounter when trying to break it.
Imagine a non-descript class, initialized with some weird defaults. Next, pick a random "if" in your application (one that breaks the app if done wrong) and add a check for the weird default of the non-descript class. Multiply ints for positioning controls by a random letter from Application.ProductName, and divide by a similar constant grabbed elsewhere. Consider it obfuscation of that single "if (lic)" statement. Check the Weird & Wonderfull forum for some nice pieces of code with weird side-effects or hard to read statements. Make it look like a bug, not security!
You will hate me for the suggestion if you have to do some maintenance though
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Thank you very much again.
Quote: You will hate me for the suggestion if you have to do some maintenance though I did similar in the past (before about 20 years) where I used an Array of function pointers, "bad" ones and "good" ones. After some years I had to maintain it and I hated myself for this code
The big difference this time is
a.) In the past I only needed to prevent from unauthorized use of our application. In fact I could hide the decision also "by time"; I mean it was no problem to check legal use and stop the application later after about (random) 1...10 Minutes.
b.) This time I need to prevent from unauthorized use of protected data. So I need to take the decision immediately. But as you mentioned, obfuscating the decision is more or less the only way.
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
0x01AA wrote: I Need to prevent from illegal There are cost-effective ways to do so, and we do have articles on the subject. There's no way to get a 100% guarantee.
If it "really" needs to be protected, don't distribute it - host it
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
0x01AA wrote: Is there a difference related to "hackable" between this two ways of signing a message:
That is the wrong question.
It isn't whether a method is secure or not.
The real question is what does a bad actor want to do? What is their objective?
So for example in terms of email do they want to inject a false message in the stream or do they just want to see the emails. I would suspect most of the time it is the latter not the former. And so all they need is access to the client machine and some way to capture the content that the client machine will display. Or even using the client machine to determine the sender's machine and hacking that machine instead.
A couple of years ago a security firm, a firm whose entire business model was based on making other companies more secure, was hacked because one of the top level execs responded to an email phishing attempt that was generated internally from another hacked email account. Certainly in that case even if both accounts were encrypted and signed it wouldn't have mattered because the the bad actors had already gotten access to the one email account and then it was lax process (not technology) that allowed the break.
|
|
|
|
|
Hi,
The best article I've ever seen here on codeproject for generating product activation keys is here:
Product Activation Based on RSA Signatures[^]
It's using elliptic curve cryptography and supports tag-bits if you want to fingerprint the hardware. Even here in 2018 the technique he is using is very secure. It's not much different than what's being used to generate your operating system activation keys. In fact it's superior to the Windows product key generation algorithm if you embed the hardware fingerprint.
Best Wishes,
-David Delaune
Edit:
Sorry, I gave you the wrong article. The article I am referring to is here:
Product Keys Based on Elliptic Curve Cryptography[^]
I noticed a few years ago that it became marked as deleted. Not sure why... it's an extremely good article.
modified 12-May-18 18:51pm.
|
|
|
|
|
Thank you very much for this.
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
Hi,
Beware that the algorithm that is being used in ECB[^] to generate curves appears to have changed. If you look at the algorithm instructions in IDA Pro/Hex-Rays[^] it's completely different from the older builds from a decade ago. I am not skilled enough in mathematics and crypto to understand why the changes I am seeing have been made. Also I don't see a Windows build on his site anymore.
You can skip the steps for generating curves and just use one of the NIST recommended FIPS 186-4 curves[^]. The curve properties are near the bottom of the document.
Best Wishes,
-David Delaune
|
|
|
|
|
You have some "functions" ...
It is not clear what is happening "client side", "server side", whatever.
Your definition of a solution is actually rather vague; and to describe it as "secure" or not is not reasonably possible given the information.
I don't understand how one can tackle these types of problems without some sort of "diagram".
"Activation" usually implies some sort of server side functionality.
As in: "We don't care if you needed to replace your motherboard; you're already activated and we are not going to 'activate' you again ...".
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
Quote: It is not clear what is happening "client side", "server side", whatever. Client Side: I called it user
Server Side: I called it Licensor
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
How can I make shadow by using brush tool?
|
|
|
|
|
wrong place you asking this question
|
|
|
|
|
Hello,
I have two SQL 2016 Always On nodes - (VMware Virtual Machines). Each node has 250GB RAM, 46 vCPU @2.5GHz. Each of the MS SQL VM is dedicated to 1 ESXi Host so there is no resource contention.
The application that would connect to the Database is expected to be: 70% WRITE and 30% READ.
I need advise on the best way to:
(1.) Configure MS SQL nodes to use the 250GB RAM, 46 vCPU efficiently and optimally.
(2.) Perform Write and Read as fast as possible using all the hardware resources.
(3.) I have configured Always On Read Routing, how can I test it?
Thanks.
|
|
|
|
|
|
Hi,
I am designing a system in for Java EE based web application wherein there are lots of Master Data tables. There can be new master data added or a new field may be added in the master tables.
The master tables can fetch the data from database or from webservice.
I am thinking instead of creating logic for creating each master table separately, I create some sort of code generator which does the code generation for master data management.
Essentially what does all master data have.
A view to add the master data to table
A view to update the master data
A view to list all the master data
with user actions being
Bulk upload
Search and Filter
Has anyone created something like this design for Java EE based application
|
|
|
|
|
What does the "user" need?
What you're talking about SQL Server Management Studio does "out of the box"; and it's "free".
You're going to charge for this?
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
We are creating a product. User doesnt need anything. We hat lots of master data which will dynamically change based on once we go to market. Master data like city, country, district. Basically admin screen has actions like add screen, update, listing, search.
Normal approach is to design table, create dao, have controller and service layer and then frontend screen. If a new table comes in again same thing needs to be created.
I was thinking for a way to automate creation of such code or create something which has common set of code to accomodate any master table introduced in future or update existing table.
Hope that makes sense
|
|
|
|
|
Good answer!
Using ASP.NET Dynamic Data
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
What you do is based more on what you posted here.
I can say for sure that attempts to "make my work easier" which result in dynamic/meta data solutions are always wrong. They do nothing but make the final solution MUCH harder to maintain.
That said there are numerous solutions that already exist for creating multiple layers based on actual data models. Those work when the actual concern is not a dynamic solution but rather the work involved in creating code for many data entities which is basically the same.
Depending on the solution it can create any or all of the following
1. The DDL
2. The DML - stored procs that act as an database API
3. DTOs and DAO in your language of choice
4. DAO API layers.
Myself I have been rolling such solutions myself for decades.
Only suggestion to the above I would make is that you must not allow the ease of use of the DTOs to allow you to extend their use into other layers of the application UNLESS they are free from all database hierarchy abstractions. And perhaps even then.
|
|
|
|
|
Ah this old chestnut again, every developer sooner or later wants to try and automate or pass this type of functionality to the user. As JSchell said it almost always ends in tears.
You do realise that nearly every one of us (the old farts here) has thought/attempted this type of project and yet most go back to single use code for each dimension table.
Moral of the story - don't ask the old farts for ideas, we are not happy with what we can think of and it will need a new approach to create something useful in this area.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
We have designed a 3-tier web app for a finance application.
The business tier is divided further into layers like manager, helper, util layers to modularize code and isolate the different functions i.e. core business vs non-business code from each other
Util layer has non-business functions which are required during a particular process e.g. DateUtils.java, EncryptionUtil.java etc
Helper layer has business logic which is specific to particular business process and not required in other business processes e.g. SomeThirdPartyInterestCalculationHelper.java, SpecificRequestBuilder.java
Manager layer has business process which controls the flow as well as implements some parts of business logic e.g. CustomerAccountManager.java has different methods for CRUD operations for customer account. It calls different helpers, utils, DTOs etc and gets the work done. It also implements some pieces of business logic. So,it performs mix of BPM role as well as parts of core business process logic.
As the processes become complex and lengthier, my manager layer is growing and does not look like well organized code.
I want seperate layers doing specific roles i.e. business process controller, business process execution (core business logic), CRUD operations which are DB specific, helpers (specific to processes), non-business logic
What can be a better design pattern to achieve this?
I am trying out Business Objects patterns to isolate different parts of business logic and coupling it with Application Service pattern.
So, for executing a business process, I would have:
1. ApplicationService - Would be a pure business process controller calling different business objects and controlling execution based on results of BO methods
2. BusinessObject1 - Core business logic in different methods - Called by ApplicationService
3. BusinessObject2 - Core business logic in different methods - Called by ApplicationService (if BusinessObject1 grows bigger or BusinessObject 1 and 2 can perform specific business functions)
4. IntegrationBusinessObject - To call other third party services required in business process
5. DomainEntityBusinessObject - CRUD operation for a particular domain entity required in process...will also have some business level checks required before or after CRUD operations
6. Adaptors - To convert formats for third party services - May be called by IntegrationBusinessObject
Idea is to make classes more compact and doing specific business functions. Also, control the process from a single class (Application Service) so that changing the process can be easier.
Is this design maintainable and scalable?
|
|
|
|
|
Quote: Is this design maintainable and scalable?
The "mental model" that you carry around of this particular app / system has no relation to the "user's" mental model of the business.
I can only assume you will never be actually talking to a "user"; since this is all plumbing.
The "application" programmers will love it (not).
Business processes are value "chains"; not "layers".
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
|
|
|
|
|
I have 3 DNN webservers behind a Citrix Load Balancer, the load balancer is configured for SSL Offloading.
I discovered that the login link doesn't work anymore. It just refreshes whenever it is clicked. The URL of the login link is: https://test.abc.net/User-Login?returnurl=%2f. The link when clicked supposed to take users to the page where they will login.
When I changed d Citrix load balancer to HTTP, everything works normal. I.e http://test.abc.net/User-Login?returnurl=%2f takes the users to the Login Page.
Any suggestion on how to resolve this issue will be appreciated.
|
|
|
|
|
Have you set the SSL Offloading header in DNN?
Setting the SSL Offload Header Value[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks Richard. Your suggestion saved the day.
|
|
|
|
|
Thanks Richard. Your suggestion saved the day.
|
|
|
|