tags:

views:

202

answers:

1

Situation:

I want to provide a website service where users can enter some data e.g. 15 bytes long name "namedata" and get a key code. That code can then be used to unlock some feature in a game (provided by me), also utilizing the namedata (think of a custom Lazgun named "Lazgun of Peter", where "Peter" is the namedata).

My plan is to encrypt the namedata along with some short signature (e.g. 5 Bytes "hello") with asymmetric encrytion (using the private key) into the key code (something like AsdF-STaCK-0VEr-FL0W-13Abbx).

The user then enters the key code in the game and the game then decodes the data with a public key into the namedata and the signature and voila the user gets its "Lazgun of Peter".

Problem:

The problem (or my misunderstanding?) is that the typical RSA encryption can only be used to encrypt data of the length of the key, e.g. 1024 bit, which would be too long for my key code - no user wants to enter codes with 150+ characters (assuming about 6 bit data per entered character).

Question:

What kind of encryption should I use to get decent security, so that only my website service can generate "correct" codes, but the user only has to enter codes about the size of the namedata + signature + some small overhead?

Note: The game executable is obviously publically available and any encryption key stored in it could be read from it, but the executable itself cannot be altered (copy protection).

A: 

I think it is the wrong idea to store all item data inside the actual key code.

It makes more sense to create a unique download code. When entered, the client will connect to a server, and download the actual item data through a secure connection.

Does this make any sense?

kotlinski
Yes that should work, but that would mean a lot more effort for infrastructure - the client (game) would need to communicate with some server. Unfortunately I have to keep the budget small and also im not responsible for the website part.
OK, but if it's low-budget, RSA seems really overkill. Maybe you can just use some simple cipher like Vigenère? http://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
kotlinski
...and pray that the game doesn't get popular :)
kotlinski
Id rather pray it gets very popular and I redo that system. ;)But thinking about Your answer already helped, I think I just need to change the way that key code is delivered: Rather than letting the user type in some key I give him some file via mail (or maybe let him paste a very long code), so the length of the key code is no longer an issue.Thnx!