Re: RSA private/public question
- From: "Henrick Hellström [StreamSec]" <henrick@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 06 Jun 2005 12:15:13 +0200
Nick Rollas wrote:
I want to implement RSA public/key in my software to encrypt my registration keys.
In addition to the implementation advice you have been given already, I would like to stress that such registration schemes can be by-passed. I have seen it happen a number of times.
The problem is that somewhere in your implementation of the registration scheme you will get an if..then statement where you check the validity of the registration entered by the user. This line is exactly what the cracker will try to find. To crack your scheme the cracker will just have to flip the conditional so that execution exits if the key is valid and continues otherwise.
Consequently, you might use RSA to make it practically infeasible for anyone to generate keys that will work with your *authentic* software, but you can't possibly prevent people from generating keys that will work with *cracked* versions of your software. Hence, your best bet might be to give your users incentive to stay away from cracked versions of your software, and one tool you might use for this is a spotless reputation for producing malware free software combined with instrumental use of MS Authenticode. Unfortunately, MS Authenticode signatures are only checked in some circumstances, such as when you are downloading and running ActiveX controls from within MSIE.
-- Henrick Hellström www.streamsec.com .
- References:
- RSA private/public question
- From: Nick Rollas
- RSA private/public question
- Prev by Date: Re: madshi terminateprocess hook + windows shutdown
- Next by Date: ANN: AnyDAC v 1.0.5 released. All for DBMS access in one pack.
- Previous by thread: Re: RSA private/public question
- Next by thread: June 4 - 2005 - update: Delphi Community Blog Aggregator
- Index(es):
Relevant Pages
|
|
