views:

86

answers:

4

Hi,

We're using XML Digital Signatures for signing and verifying our license keys. The signing works fine and has been running smoothly. The XML license file contains a few (plaintext) details about the license, along with a binary signature.

We'd like to encode (I don't say encrypt) those plaintext details (license duration, user name, etc, etc.) so they're not immediately visible to prying eyes. Is there a standard (eg, base 64 or something else) that people use in this situation? It doesn't need to be secure or particularly clever, just enough to conceal the information in Notepad.

EDIT: We're using .NET/C#.

Thanks : )

A: 

A simple hex encoding would accomplish that. It is also easy to decode. If you mention which language or platform you are writing the code in, someone could make a more specific recommendation.

Amardeep
Hi, thanks for the response, we're building in .NET, C#. We also have various stuff in C++.
Swingline Rage
A: 

If you're simply looking to obfuscate the details, then I would think a Base64 or equivalent encoding mechanism would be fine.

I'm not familiar with any sort of standard around exactly what you're trying to do, since most people would argue that what you're trying to do doesn't really achieve anything (since it falls within the realm of "security through obscurity").

Rob Hruska
Thanks, and good point. Our licensing scheme is pretty minimalistic- just enough to keep the honest users honest. And you're right there are exactly zero standards in this area. I'm a little surprised .NET doesn't ship with better out of the box support for licensing. There are the licensing classes and the (ridiculously expensive) MS Licensing Services but... no easy-to-use blackbox component that provides basic public key/private key licensing in a few common configurations.
Swingline Rage
A: 

As a user of license keys, I would recommend against this obfuscation. It is often very useful when auditing the license to determine the details you are referring to. If I can get them from the xml description, it can save as substantial amount of time. It also helps discover incorrectly deployed licenses. If I find a key issued to example.com instead of the organization I work for, I know we need to address the issue. If it is issued to ZXhhbXBsZS5jb20K (example.com in base64), do I will not think twice about it. I also have to deal with ensuring licences are renewed on time. When do I renew a license with an expiry of MjAxMC0wNi0wMQo=?

BillThor
This interests me. You're saying that, as a *user*, you find yourself examining .lic key contents? But what if we're using (for example) your unique machine ID or some hash thereof as part of the license? Would it bother you to open a LIC file and see that information sitting there in plain text?
Swingline Rage
It would bother me more if I as a user found that you kept some sensitive information of mine in the .lic file and attempted to hide this fact from me.
Eugene Mayevski 'EldoS Corp
Not in the least. This is information which I would use in an audit of the licence usage. If I find a key for IP 192.0.2.15 being used on a key server with IP 192.0.2.41, I would want to rectify the situation. Likewise for any other information identifying the server. Not having the information in license can make it difficult to deploy licenses properly as I can't readily identify which serve the license should be on.
BillThor
+1  A: 

Just use XOR. XOR is a good thing (when used right), used even in cryptographic algorithms such as RC4. By using XOR I mean taking some text string that will remain constant in your application, then XOR 1st byte of your file with 1st byte of that string, then xor 2nd byte of your file with 2nd byte of that string and so on. Then start from the beginning of the string. This is the way stream ciphers work. The string found in your code (in opposite to just some constant number) will make hacker's work a tiny bit more complicated.

Eugene Mayevski 'EldoS Corp