Synopsis:
We are making a software that will be installed on many computer of a single network. The installation will most probably be made using a machine ghost. The users group consist of students and teachers.
The software has to store a license key, along with an username and a password. These information are used to retrieve some data online.
Problem:
Since the installation will be ghosted and that the license/username/password will be present in the ghost, we cannot use the Windows CryptAPI to decrypt since it use a machine unique key, meaning that only the original computer where the ghost was made could decrypt it.
Right now, we are encrypting using a Rijndael implementation. My problem is that the password along with the salt and other Rijndael information has to be stored inside the source code, but since its .NET, it can be "reflectored". And since most of the users will be students, we suspect that some of them might have programming knowledge or know someone with skills that could decrypt the data and use the license key elsewhere.
Question:
What other secure alternative exists to store encrypted data on a machine where the password is not on the same machine? Or should we think of another completely different approach?
We though about using a web service to encrypt and decrypt, but then someone with a tool like wireshark would see the data in clear text.
I understand that there is no perfect security, and maybe there is no better way, but I'd like to hear from someone who had a similar problem or has an idea on how I could improve the security of the license.