Hi Corneliu, I had completely missed the private key concept. ***THANKS A LOT!!!*** I will try this out... Thanks Cheers, Girish Jain > Date: Thu, 5 Apr 2007 10:25:37 +1000> From: [EMAIL PROTECTED]> Subject: Re: > [ADVANCED-DOTNET] Confidential Data from Source Code> To: > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > Girish,> > I would then recommend you > use a private/public key model to generate> your licences.> 1. Basically you > generate a private/public key using some well know> algorithm:> (this will be > in your licence generator not in the app!!!)> RSACryptoServiceProvider > provider1 = new> RSACryptoServiceProvider(keySize);> // save public > > provider1.ToXmlString(false);> // save pyubli key> > provider1.ToXmlString(true);> > 2. Include the public key in your application > as some const> 3. Generate the licence info (whatever you want protected)> 4. > Sign the licence info with the private key (provider1.Sign( ... ))> 5. Save > the licence info file + the signature in the same file> 6. In the deployed > client application when you start load the licence> key from file> 7. Using > the public key that was embedded in your application try to> verity the > licence file> Provider1.FromXmlString( public key)> > Provider1.VerifyData(...)> > Make sure that the step1 only happens once and > you keep that pair of> keys in a safe place.> You can publish the public key > in the clickonce app, but you need to> keep the private key safe and use it > to generate licence files.> > > > Regards,> > Corneliu I. Tusnea> Readify | > Senior Consultant> > M: +61 410 835 593 | C: [EMAIL PROTECTED]> -----Original > Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL > PROTECTED] On Behalf Of Girish Jain> Sent: Wednesday, 4 April 2007 8:30 PM> > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] > Confidential Data from Source Code> > Hi Corneliu,> > Its the user of the app > as well as some other mean developer who might> help the user break the key > and then pirate the application without> license.> > Thanks> > Cheers,> > Girish Jain> Date: Wed, 4 Apr 2007 17:02:38 +1000> From:> [EMAIL PROTECTED]> > Subject: Re: [ADVANCED-DOTNET] Confidential> Data from Source Code> To: > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> >> Girish,> > You still haven't replied > to my original question: > - From> whom are you trying to protect? The user > of the app?> You want to> protect that the user is not decompiling your > application,> getting that> private key out, generating a new key for the > application> and using> that key without your knowledge?> > > Regards,> > > Corneliu I. Tusnea>> Readify | Senior Consultant> > M: +61 410 835 593 | C:> > [EMAIL PROTECTED]> > -----Original Message-----> From:> Discussion of > advanced .NET topics.>> [mailto:[EMAIL PROTECTED] On Behalf Of Girish Jain>> > Sent: Wednesday, 4 April 2007 1:52 AM> To:> > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET]> > Confidential Data from Source Code> > > Hi Corneliu,> > Basically, we> are > trying to protect our application from piracy. Its a> file which> would be > created at the installation of the application and> thereafter> would be read > on each startup of the application. The file> would be> created for that > particular machine and will have some entries> into it> (of course > encrypted!). The application which creates this file> would> be **manually** > run on the target machine to produce the file.> Each> installation of the app > would be manual.> > Now, if we have the key to> decrypt the file into source > code, its easy> to break it. Therefore, do> you have any better idea for > achieving the> same? > > Thanks for taking> time out to reply on this one...> > > > Cheers,> Girish Jain> Date: Wed, 4> Apr 2007 00:18:30 +1000> From:> > [EMAIL PROTECTED]> Subject:> Re: [ADVANCED-DOTNET] Confidential> Data from > Source Code> To:> ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> >> Girish,> > For your > own fun,> even Obfuscation, sending the data back and> forth to> the server > and> other tricks can't really do it if the key is> part of the> app and > used> actively in the application. Just try a tool> like Hawkeye>> > (http://www.acorns.com.au/hawkeye) over your running> application to> see> > how much time do you need to find the key pair. 1-2> or 5 minutes?>> > My > primary question is: Whom are you trying to protect> from? The> user,> other > users with read access on the same machine or> malicious>> application (eg: > malware, spyware?). In the first scenario> it's a no>> brainer. There is no > true way of protecting.> For all the> other> scenarios the best protection > you could achieve is to> ask the> user for> a password, then use a one way > algorithm together with> some> random key> (that you save) to generate a the > key that you use to>> encrypt/decrypt.> If the user forgot the pass, then > simply bad luck,>> there is no way> back. Alternatively you could use the > registry to keep> a> unique key> you generated at installation or a key based > on a user>> password. The> registry at least is safe from other users.> > > > Regards,>> > Corneliu> I. Tusnea> Readify | Senior Consultant> > M: +61 410 > 835 593> | C:> [EMAIL PROTECTED]> > > -----Original Message-----> From:>> > Discussion of advanced .NET topics.>>> [mailto:[EMAIL PROTECTED] On Behalf Of > Dave> Sent:>> Tuesday, 3 April 2007 11:58 PM> To:> > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM>> Subject: Re: [ADVANCED-DOTNET]> > Confidential Data from Source Code> >> Ahh, hiding the private key......> > :-)> > Obfuscation is great, but by> definition, it does not change the>> > semantics,> it just messes the code> around. Private keys are pure> binary > data, so> they> cannot be changed> by a bit without changing> their > "meaning". Then you> end> up wanting to> encrypt the private key,> but that's > not a perfect> solution, as> you> still have another private> key to hide.> > > One solution is to obfuscate> the code that> **generates** the private key> > with a well-known logic.> Another one> would be to simply create a web> > service that decrypts the> data (or> sends the key), over ssl, asking for> a> > username-password from> your> user.> > In all cases, you must remember that: > The most private> keys> you publish> around, the less private they become. No > matter the>> solution you choose> you> hide it from the very same client that > will>> ultimately use it...> > Good luck!> Dave.> www.omniscient.ca>>> > www.omniscienttrader.com> > > -----Original Message-----> From:>> Discussion > of advanced .NET topics.>>> [mailto:[EMAIL PROTECTED] On Behalf Of Shawn>>> > Wildermuth> (MVP)> Sent: April 3, 2007 6:18 AM> To:>> > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET]>> > Confidential Data from Source Code> > I think you'll have better luck>> with > Obfuscation. I haven't done it> before> and I am sure others can>> suggestion > their favorites, but Brent Rector is> a> super bright guy so>> I usually > recommend Demeanor (http://wiseowl.com)> ...> but I don't> know> the pros and > cons.> > Thanks,> > Shawn Wildermuth>> http://adoguy.com>> > http://wildermuthconsulting.com> Microsoft MVP (C#),> MCSD.NET, Author> and > Speaker> > > -----Original Message-----> From:> Discussion of> advanced .NET > topics.> [mailto:[EMAIL PROTECTED]>> ===================================> > This list is hosted by> DevelopMentor(r) http://www.develop.com> > View > archives and manage your> subscription(s) at> http://discuss.develop.com> >> > ===================================> This list is hosted by> DevelopMentor(r) > http://www.develop.com> > View archives and manage your> subscription(s) at > http://discuss.develop.com> > _________________________________________________________________> Check out > some new online services at Windows Live Ideas-so new they> haven't even been > officially released yet.> http://www.msnspecials.in/windowslive/> > ===================================> This list is hosted by DevelopMentor(r) > http://www.develop.com> > View archives and manage your subscription(s) at> > http://discuss.develop.com> > ===================================> This list > is hosted by DevelopMentor® http://www.develop.com> > View archives and > manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Windows Live Spaces is here! It’s easy to create your own personal Web site. http://spaces.live.com/?mkt=en-in =================================== This list is hosted by DevelopMentor® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
