tags:

views:

49

answers:

2
Q: 

Encrypt a file base upon a pregenerated "key" C#

Hello everyone. I'm trying to determine the best course of action to implement a simple "licensing" system with a partner of mine. The concept is:

Generate an encrypted value based upon several internal hardware components. Have the customer send this value to us which we will implement into our key generator. Once we have that, we add any other restrictions on the license (user, expires, etc.). From there we generate a file which we send to the customer they can add to their installation and voila, happy people about.

I have the first part all done. My next part is trying to figure out which encryption methodology I would need to use. I already know Symmetric Encryption is pretty much the only route I can take. Most of the information I have found involves .NET already creating a key from its own internal methods.

That's a bit of background, my question is: "Which encryption method could I use which would allow me to encrypt the restrictions based upon the "id" I was given from the customer's computer?" I'm writing this in C# by the way.

Any ideas would be greatly appreciated!

Take Care!

A: 

I recently did something very similar to this. I used AES to generate a value based on a private key using an internal customer id or order number as the IV used to encrypt the value.

Instead of an order number you can use some form of checksum from your first step so it's not something that's stored as the IV. That way if the file is hosed or if they transfer the software to a new computer - either way will invalidate the file.

Something you might be careful of though is how closely you tie the installation/license to the hardware. You don't want to punish a legitimate user simply because they upgraded their motherboard.

McAden  2010-03-26 23:03:57
I see your point. tying the key partially to the motherboard is better than say the hard drive, chances are one would change the hard drive long before the motherboard.
Anubis  2010-03-27 20:25:39
One of the things I did do was when the software is activated and the key is saved into the registry, I encoded the registry value using the hard drive, that way the software couldn't be migrated to another computer via ghosting without re-inputting the product key. No solution is going to be 100% secure, but the goal is to make it reasonably secure without punishing legitimate users.
McAden  2010-03-28 04:31:39
A: 

You say you know you need symmetric encryption but you would be wrong. With symmetric encryption the code checking the license has to have access to the secret, which means if your code is reverse engineered someone can not only figure out where to remove the checks, they can generate and sell license keys that are indistinguishable from the ones you make.

Use asymmetric encryption, or a secure hash. And don't try to use the customer-specific hardware information as the key, instead prepend or append it to the other data. You're essentially creating an access control/rights/privileges list file coupled with a message authentication code to verify its source (you).

Ben Voigt  2010-03-26 23:10:04
I was looking at using RSA originally, but the requirements I have been given state that the license needs to be read. From my understanding, as remedial as it is; if I were to use asymmetric encryption I would need to generate keys. This is where my understanding falters. I was thinking I could have the software generate a public key based from the customer and send that public key which I would use to encrypt the license file. Again, this is where my limited understanding is reached and thus I went for a solution I understood a bit more... any guidance is greatly appreciated :)
Anubis  2010-03-27 20:28:57
I would do a message authentication code on the license using RSA. The license itself is in plain text, so it can be read, and the message authentication code (which incorporates a hash of the license and hardware information together, which is then encrypted with your private key) resists forgery.
Ben Voigt  2010-03-27 22:50:55

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?