Hi Pat, Jason is right, you can't stop the software user from changing the certificate.
However, you _can_ slow them down. We have created some new software that does a particularly good job of encrypting software, in file and in memory. It also stops debuggers, which is the tool a hacker would use to replace the certificate. Best Regards, Jim Jim McCartney, P. Eng CEO CrypKey (Canada) Inc. Phone: (403) 258-6274 Email: [EMAIL PROTECTED] Web: http://www.crypkey.com "battle-proven software protection & license control" -----Original Message----- From: Pat Deegan [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: Re: choosing the right algorithm Greets, On Tue, 2003-06-24 at 11:26, Ruotger Skupin wrote: > Well I'm not sure whether the whole serial#-fingerprint combo is signed > or a hash of it. (I didn't write the code) Are there any security risks > if I do not use a hash? I don't believe so - I think that in most circumstances, you sign a digest because signing the entire message would be slow and it's quicker to pass the data through a one way hash and then sign that hash. In your case, this may not even be true. > > We've been thinking of a somewhat similar procedure but the > > question is "how do you protect the public key?". How are you doing > > it? > Well, to be honest, I don't understand the question. As far as I > understand the matter, the cool thing about public key cryptography is > that you cannot derive the private key from the public key, even if > have the plain text *and* the cipher text. Correct me if I'm wrong! I don't mean "how do you keep the public key secret". I mean, how do you keep the user from changing the public key for one from their own generated keypair, thereby allowing them to sign whatever they like and bypass your security. We've been thinking of various obfuscation techniques to keep the public key hidden but I'm wondering if there's some better way we haven't figured out. Regards, -- Pat Deegan, http://www.psychogenic.com/ PGP: http://www.keyserver.net 0x03F86A50
