Girish, I would then recommend you use a private/public key model to generate your licences. 1. Basically you generate a private/public key using some well know algorithm: (this will be in your licence generator not in the app!!!) RSACryptoServiceProvider provider1 = new RSACryptoServiceProvider(keySize); // save public provider1.ToXmlString(false); // save pyubli key provider1.ToXmlString(true);
2. Include the public key in your application as some const 3. Generate the licence info (whatever you want protected) 4. Sign the licence info with the private key (provider1.Sign( ... )) 5. Save the licence info file + the signature in the same file 6. In the deployed client application when you start load the licence key from file 7. Using the public key that was embedded in your application try to verity the licence file Provider1.FromXmlString( public key) Provider1.VerifyData(...) Make sure that the step1 only happens once and you keep that pair of keys in a safe place. You can publish the public key in the clickonce app, but you need to keep the private key safe and use it to generate licence files. Regards, Corneliu I. Tusnea Readify | Senior Consultant M: +61 410 835 593 | C: [EMAIL PROTECTED] -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Girish Jain Sent: Wednesday, 4 April 2007 8:30 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code Hi Corneliu, Its the user of the app as well as some other mean developer who might help the user break the key and then pirate the application without license. Thanks Cheers, Girish Jain> Date: Wed, 4 Apr 2007 17:02:38 +1000> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > Girish,> > You still haven't replied to my original question: > - From whom are you trying to protect? The user of the app?> You want to protect that the user is not decompiling your application,> getting that private key out, generating a new key for the application> and using that key without your knowledge?> > > Regards,> > Corneliu I. Tusnea> Readify | Senior Consultant> > M: +61 410 835 593 | C: [EMAIL PROTECTED]> > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED] On Behalf Of Girish Jain> Sent: Wednesday, 4 April 2007 1:52 AM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> > > Hi Corneliu,> > Basically, we are trying to protect our application from piracy. Its a> file which would be created at the installation of the application and> thereafter would be read on each startup of the application. The file> would be created for that particular machine and will have some entries> into it (of course encrypted!). The application which creates this file> would be **manually** run on the target machine to produce the file.> Each installation of the app would be manual.> > Now, if we have the key to decrypt the file into source code, its easy> to break it. Therefore, do you have any better idea for achieving the> same? > > Thanks for taking time out to reply on this one...> > > Cheers,> Girish Jain> Date: Wed, 4 Apr 2007 00:18:30 +1000> From:> [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Confidential> Data from Source Code> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> >> Girish,> > For your own fun, even Obfuscation, sending the data back and> forth to> the server and other tricks can't really do it if the key is> part of the> app and used actively in the application. Just try a tool> like Hawkeye> (http://www.acorns.com.au/hawkeye) over your running> application to see> how much time do you need to find the key pair. 1-2> or 5 minutes?> > My primary question is: Whom are you trying to protect> from? The user,> other users with read access on the same machine or> malicious> application (eg: malware, spyware?). In the first scenario> it's a no> brainer. There is no true way of protecting.> For all the> other scenarios the best protection you could achieve is to> ask the> user for a password, then use a one way algorithm together with> some> random key (that you save) to generate a the key that you use to>> encrypt/decrypt. If the user forgot the pass, then simply bad luck,>> there is no way back. Alternatively you could use the registry to keep> a> unique key you generated at installation or a key based on a user>> password. The registry at least is safe from other users.> > > Regards,>> > Corneliu I. Tusnea> Readify | Senior Consultant> > M: +61 410 835 593> | C: [EMAIL PROTECTED]> > > -----Original Message-----> From:> Discussion of advanced .NET topics.>> [mailto:[EMAIL PROTECTED] On Behalf Of Dave> Sent:> Tuesday, 3 April 2007 11:58 PM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM>> Subject: Re: [ADVANCED-DOTNET] Confidential Data from Source Code> >> Ahh, hiding the private key...... :-)> > Obfuscation is great, but by> definition, it does not change the> semantics,> it just messes the code> around. Private keys are pure binary data, so> they> cannot be changed> by a bit without changing their "meaning". Then you> end> up wanting to> encrypt the private key, but that's not a perfect> solution, as> you> still have another private key to hide.> > One solution is to obfuscate> the code that **generates** the private key> with a well-known logic.> Another one would be to simply create a web> service that decrypts the> data (or sends the key), over ssl, asking for> a> username-password from> your user.> > In all cases, you must remember that: The most private> keys you publish> around, the less private they become. No matter the> solution you choose> you> hide it from the very same client that will> ultimately use it...> > Good luck!> Dave.> www.omniscient.ca>> www.omniscienttrader.com> > > -----Original Message-----> From:> Discussion of advanced .NET topics.>> [mailto:[EMAIL PROTECTED] On Behalf Of Shawn>> Wildermuth> (MVP)> Sent: April 3, 2007 6:18 AM> To:> ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET]> Confidential Data from Source Code> > I think you'll have better luck> with Obfuscation. I haven't done it> before> and I am sure others can> suggestion their favorites, but Brent Rector is> a> super bright guy so> I usually recommend Demeanor (http://wiseowl.com)> ...> but I don't know> the pros and cons.> > Thanks,> > Shawn Wildermuth> http://adoguy.com>> http://wildermuthconsulting.com> Microsoft MVP (C#), MCSD.NET, Author> and Speaker> > > -----Original Message-----> From: Discussion of> advanced .NET topics.> [mailto:[EMAIL PROTECTED]> ===================================> This list is hosted by DevelopMentor(r) http://www.develop.com> > View archives and manage your subscription(s) at> http://discuss.develop.com> > ===================================> This list is hosted by DevelopMentor(r) http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Check out some new online services at Windows Live Ideas-so new they haven't even been officially released yet. http://www.msnspecials.in/windowslive/ =================================== This list is hosted by DevelopMentor(r) http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
