tags:

views:

86

answers:

4
Q: 

Encoding license file for privacy

Hi,

We're using XML Digital Signatures for signing and verifying our license keys. The signing works fine and has been running smoothly. The XML license file contains a few (plaintext) details about the license, along with a binary signature.

We'd like to encode (I don't say encrypt) those plaintext details (license duration, user name, etc, etc.) so they're not immediately visible to prying eyes. Is there a standard (eg, base 64 or something else) that people use in this situation? It doesn't need to be secure or particularly clever, just enough to conceal the information in Notepad.

EDIT: We're using .NET/C#.

Thanks : )

A: 

A simple hex encoding would accomplish that. It is also easy to decode. If you mention which language or platform you are writing the code in, someone could make a more specific recommendation.

Amardeep  2010-05-27 20:03:14
Hi, thanks for the response, we're building in .NET, C#. We also have various stuff in C++.
Swingline Rage  2010-05-27 20:38:54
A: 

If you're simply looking to obfuscate the details, then I would think a Base64 or equivalent encoding mechanism would be fine.

I'm not familiar with any sort of standard around exactly what you're trying to do, since most people would argue that what you're trying to do doesn't really achieve anything (since it falls within the realm of "security through obscurity").

Rob Hruska  2010-05-27 20:04:39
Thanks, and good point. Our licensing scheme is pretty minimalistic- just enough to keep the honest users honest. And you're right there are exactly zero standards in this area. I'm a little surprised .NET doesn't ship with better out of the box support for licensing. There are the licensing classes and the (ridiculously expensive) MS Licensing Services but... no easy-to-use blackbox component that provides basic public key/private key licensing in a few common configurations.
Swingline Rage  2010-05-27 20:38:16
A: 

As a user of license keys, I would recommend against this obfuscation. It is often very useful when auditing the license to determine the details you are referring to. If I can get them from the xml description, it can save as substantial amount of time. It also helps discover incorrectly deployed licenses. If I find a key issued to example.com instead of the organization I work for, I know we need to address the issue. If it is issued to ZXhhbXBsZS5jb20K (example.com in base64), do I will not think twice about it. I also have to deal with ensuring licences are renewed on time. When do I renew a license with an expiry of MjAxMC0wNi0wMQo=?

BillThor  2010-05-27 20:13:55
This interests me. You're saying that, as a *user*, you find yourself examining .lic key contents? But what if we're using (for example) your unique machine ID or some hash thereof as part of the license? Would it bother you to open a LIC file and see that information sitting there in plain text?
Swingline Rage  2010-05-27 20:41:04
It would bother me more if I as a user found that you kept some sensitive information of mine in the .lic file and attempted to hide this fact from me.
Eugene Mayevski 'EldoS Corp  2010-05-27 20:56:56
Not in the least. This is information which I would use in an audit of the licence usage. If I find a key for IP 192.0.2.15 being used on a key server with IP 192.0.2.41, I would want to rectify the situation. Likewise for any other information identifying the server. Not having the information in license can make it difficult to deploy licenses properly as I can't readily identify which serve the license should be on.
BillThor  2010-05-28 21:36:40
+1  A: 

Just use XOR. XOR is a good thing (when used right), used even in cryptographic algorithms such as RC4. By using XOR I mean taking some text string that will remain constant in your application, then XOR 1st byte of your file with 1st byte of that string, then xor 2nd byte of your file with 2nd byte of that string and so on. Then start from the beginning of the string. This is the way stream ciphers work. The string found in your code (in opposite to just some constant number) will make hacker's work a tiny bit more complicated.

Eugene Mayevski 'EldoS Corp  2010-05-27 20:55:59

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?