tags:

views:

251

answers:

7
+13  Q: 

DSA: What can a hacker do with *just* a public key?

The shareware registration system I'm currently developing embeds the public DSA key in the executable itself, and the private key resides on a server. (For the sake of discussion let's assume that the server is 100% secure, and there is no way for anybody to get their hands on the private key.)

Whenever the program is purchased, the server generates a license for the user by signing the user's name with the private key. That license is then emailed to the user. Once the user manually enters their name and license into the shareware application it is verified by the public key embedded in the application to be a valid or invalid license.

However, it would be fairly trivial for a determined person with the right "know-how" to disassemble the executable and retrieve the public key.

My question here is, what could they do with it? Is a public key, by itself, completely innocuous? Is the public key enough information to reverse engineer a key generator?

Curious minds want to know. Thanks in advance!

+19  A: 

The public key should get them nothing useful. However, if the check is easily found they might be able to simply circumvent it and patch in a test that always succeeds without ever bothering to verify the license against the public key.

Michael Burr  2010-10-19 20:39:26
+1 (what I was about to post). It's far more likely the verifying part would be stripped out.
ChristopheD  2010-10-19 20:42:36
Beat me to it as well. Assymetric cryptography is designed such that secrets don't need to be shared, so as long as the verification method isn't circumvented altogether, the public key is just that--public.
Tristan  2010-10-19 20:44:57
Totally right. Disassemble the executable and ignore the public key - instead patch out the test to always return "licensed".
Stephen P  2010-10-19 20:57:02
+1  A: 

Assuming an as-yet-unbroken encryption method is being used, the public key can not be used to determine the private key. It is meant to be truly public; known by anyone.

Andrew Barber  2010-10-19 20:40:02
+1  A: 

Just having the public key is not enough information to do anything useful with.

The only thing that could be done is someone could encrypt a message using the public key that could only be decrypted with the private key. But if the private key is only on the server, this will not do anything.

Any other attack would require trying to calculate the private key, which will not be sped up at all by having the public key.

Alan Geleynse  2010-10-19 20:41:01
+7  A: 

A public key by itself would let them decrypt any encrypted information sent out by the server. That's it. Going from public key to private key is exceptionally hard; that's how public key cryptography works. (By “exceptionally” I mean that it's designed to be resistant to well-funded government efforts; if it keeps the NSA from cracking you, it'll be sure good enough for stopping Joe Blow.)

Note that it doesn't help with DRM, which it sounds a bit like you're trying to do. DRM is just plain broken by design; if the attacker has the information and the key to unlock it in devices local to him, it's already game over. If you give a key to an attacker, it might as well be public since he's sure not going to be willing to keep it secret…

Donal Fellows  2010-10-19 20:41:58
Voting down without explanation? Poor show.
Donal Fellows  2010-10-19 20:57:00
Sorry about that. Meant to reply, but got distracted. I'm using DSA to sign, not encrypt. The difference being that I'm not "hiding" information; I'm merely guaranteeing (or attempting to guarantee) the origin (my servers). Secondly, I'm not sure what you mean about DRM. Are you saying that shareware and/or licensing schemes are a broken system? If so, you may very well have a point, but it has nothing to do with the original question. I think what you may be saying is that, with an embedded public key, a single valid license can be used by multiple parties, which is true.
kurige  2010-10-20 01:04:28
@kurige: Ultimately, when you're working with security you've got to define **exactly** what you are protecting against as not all combinations are possible (assuming you want usable software at all). I tend to favor putting critical functionality in a server I control so that users can't do anything useful without passing the checks I impose – for the classes of apps I write, the ensuing requirement for network connectivity isn't an additional problem – and giving away the client source as it's not valuable in itself.
Donal Fellows  2010-10-20 07:57:29
+1  A: 

In asymmetric cryptography it is safe to give your public key to an attacker. However, this value, along with a signature or cipher text produced by a private key can be used in Trivial Attack to obtain the corresponding private key.

Rook  2010-10-19 20:45:12
Don't hold your breath waiting for that to happen; brute-forcing DSA is a lot of work because the key space is colossal and IIRC there aren't any known shortcuts. Moreover, you're **supposed** to be able to tell everyone your public key and the signature; that's *how public key cryptography works*.
Donal Fellows  2010-10-20 00:13:10
@Donal Fellows and that is the definitional of a trivial attack. Don't be so quick to assume the people around your are as dumb as rocks.
Rook  2010-10-20 00:23:57
@Rook: Ah, but with the key size being of the size it is, “trivial” isn't trivial at all.
Donal Fellows  2010-10-20 07:53:19
@Donal Fellows crack open a cryptography book sometime, brute force is called the trivial attack and all crypto primitives are vulnerable to them. In my post i am describing on the trivial attack works for asymmetric cryptography.
Rook  2010-10-20 18:18:40
@Rook: It's a pure mathematician's definition of "trivial". A good pure mathematician, when faced with a fire in his hotel room and a fire extinguisher, will go back to sleep satisfied that a solution exists.
Donal Fellows  2010-10-20 20:25:38
A: 

The point is that this sort of encryption is designed to protect the content of the message and to verify sender authenticity which in this case is clearly known to the user i.e. Name and Vendor etc. Much nicer would be to protect a section of the code with this sort of encryption such that crucial bits of code stays garbled until the proper key is used.

Once the key is used however the user can decrypt and make copies of the software. Fully protected software is fully unusable. Though unrelated this is an interesting read regarding protecting things.

whatnick  2010-10-19 21:25:05
You *can* fully protect software, but only by never giving people a copy. This isn't quite as silly as it sounds; software-as-a-service is a reasonable alternative for many situations.
Donal Fellows  2010-10-20 00:16:51
Then it is not really the software you are selling .. it is the infrastructure .. e.g. Google and most of the web giants. Making it work may cost more investment than just the software.
whatnick  2010-10-20 13:59:51
+1  A: 

Public keys are used everywhere -- logon forms, security of banking transactions, client-side authentication etc. So the short answer is that you shouldn't worry, cause lots of other, smarter people have looked at this problem and accepted the distribution of public keys to endpoints.

What can people tell from your public key? They would obviously know a key name and key length. I assume that the key is part of a certificate, which could also contain some details about your company and website URL.

My questions to you are:

1) Why are you worried about a public key in an executable? Any half-decent cracker would just change your executable to bypass the public key check altogether. The fact that the encryption is strong is meaningless when you're giving a binary to the client that can be modified.

2) Are you aware of the mess you may be getting yourself into? There's nothing inherently wrong with using public key encryption to secure a binary, but you may end up with problems as the system develops. Things such as expired keys, key roll-overs and key issuance (I believe this is a tool you're developing to sell) can become a major pain. And, yet, you'll still be stuck with the reality that your bigger challenge is stopping crackers from just rerouting the binary to avoid your security check altogether.

Simon @ http://blog.LabSlice.com

Simon Ellis  2010-10-19 23:34:05
What I'm working on is strictly for personal use. I'm just working on a system that I can reuse in my own projects - I'm not trying to sell the system itself. I decided on a few things that make my job a lot easier in the long run, and more pleasant for my customers: 1) No expiration 2) No phoning-home. The latter is the most important to me - and embedding the public key allows me to do just that - I was just curious about what implications I may have missed.
kurige  2010-10-20 01:14:55
Fair. Good luck and enjoy the project!
Simon Ellis  2010-10-20 01:58:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security