1

I have a C++ application with an algorithm, whose usage I want to protect. The application needs several input data files to work (those may change for each client).

My goal is to allow only unaltered input data files which were registered for use.

My current thoughts are:

  • The client has the input files as text
  • Calculate a hash from each file and store that hash in the binary. (Deliver a new binary after each registration.)
  • Allow only input files with stored hash.

I know that is a very basic approach. What would you suggest to make it more robust?

I know there is no 100% security, I'm just aiming for a reasonable tradeoff between implementing security and simplicity of hacking my application.

Mike M
  • 135
  • 5

1 Answers1

1

Maybe that solution is just fine to you, security is always about the risks you are willing to take.

I could write you how a signature would be a much better approach to you solution since you are the only one who will be able to "sign" the "hashes" so no one else can generate an arbitrary file and just hash it.

But maybe, this approach is far more inconvenient to you because it brings more entropy and work with certificates, development... And, you know, even that can be bypassed cracking the executable an placing a bunch of jmps...

So, maybe, your approach is fine, the main problem is that anyone can hash a file, so anyone will be able to use your app if they know that trick (you may be thinking about "inventing" your own hash, but anyone here will recommend against it since that is a "security by obscurity approach").

The question here is, how valuable is your software so someone is willing to crack it down? If you think, well, not many users will think about crack it, or most of my users are non-techie type and I don't think they will crack it...

kiBytes
  • 3,450
  • 15
  • 26