I'm using RSASSA_PKCS1v15_SHA signer and verifier with 2048 key length. When users register (with SWREG), I generate a struct of data. This contains some "magic number" constants, some info about the current time/date/version, and also some details of the user such as their name and email. This is then signed with an internal program (that contains a private key), and written out to a binary file.
The data file is then emailed to the user. The game uses the verifier with a public key embedded in it. If that data file exists in the root directory, and is signed properly, it examines the struct of data, checks the magic numbers, versions etc. If registered, it can display the user's information on screen and unlock the main game levels.
I want to ensure that no keygen is possible. As far as I understand it, it should be practically impossible to generate an arbitrary struct of data and sign it, unless of course I accidentally leak the generator program and thus give away the private key.
As such the main ways to get around the system are either to for users to copy their data file and pass it around, download a (previously leaked) data file, or download a cracked exe. I'm less concerned about these compared to the keygen, because if a single registered file starts becoming available, in the next game update I could always bar it.
Thanks, Geoff
