-----Original Message-----
From: Geoff Carlton [mailto:[EMAIL PROTECTED] Sent: den 19 maj 2005 02:49
To: [email protected]
Subject: Shareware authorisation
I'm developing a game for online indie distribution via the web. I'm going to use Cryptopp for the shareware/registration, I just want to run by the method I've chosen to make sure I'm not doing anything obviously stupid.
I'm using RSASSA_PKCS1v15_SHA signer and verifier with 2048 key length. When users register (with SWREG), I generate a struct of data. This contains some "magic number" constants, some info about the current time/date/version, and also some details of the user such as their name and email. This is then signed with an internal program (that contains a private key), and written out to a binary file.
The data file is then emailed to the user. The game uses the verifier with a public key embedded in it. If that data file exists in the root directory, and is signed properly, it examines the struct of data, checks the magic numbers, versions etc. If registered, it can display the user's information on screen and unlock the main game levels.
I want to ensure that no keygen is possible. As far as I understand it, it should be practically impossible to generate an arbitrary struct of data and sign it, unless of course I accidentally leak the generator program and thus give away the private key.
As such the main ways to get around the system are either to for users to copy their data file and pass it around, download a (previously leaked) data file, or download a cracked exe. I'm less concerned about these compared to the keygen, because if a single registered file starts becoming available, in the next game update I could always bar it.
Thanks, Geoff
You will also have to worry about users stealing keys with stolen credit card numbers and then distrubuting those. It won't be foolproof to bar them either as they can just patch the program to change the barring. Nothing is as simple as it seems.
