1

I have a pretty good understanding of X509 cryptography etc, from my career in the smart card industry. So I know that the card scheme (e.g. Visa, MasterCard) is the highest level of trust - they sign issuer keys for subsequent diversification and use on ranges of smart cards, and the issuer then signs individual card keys - thus the chain of trust is present.

My question actually relates to something a little different though. I have developed an application, which I want to place under some licensing control. I have developed my own database to hold user and license information - and all keys distributed will actually be encrypted using a 192-bit 3DES key - decipherable only by the server.

I have a WCF client/server set up - and now I am nearing the point of needing to sort out my response to the client application - which will contain the authenticated license details, signed by my private key for authenticity. So I need to have the public key available to that client application.

I can get an SSL certificate for the website to which the client app connects. My question is therefore whether my app would be able to make use of that public key - or whether I should create a new key pair, signed by my website SSL certificate, effectively giving me a separate key to use for the authentication of this application.

Also - should the public key be distributed with the application, as an installable file? As I write this, I am figuring that it probably does need to be, as I need to allow for offline registrations.

John W
  • 66
  • 4
  • You shouldn't use DES anymore as it has been [deprecated](https://tools.ietf.org/html/rfc6649) – BadSkillz Jul 29 '15 at 11:03
  • Sorry...3DES. And 192-bit key. – John W Jul 29 '15 at 13:14
  • There's no yes/no answer to this. If your concern is licensing only, then what you're describing is a bit of an overkill, a warez team will just rip off the license check, so all that effort will not be a substantial deterrent to protect your intellectual property. If you are encrypting the actual application, or an important part of it during runtime, then you'll be better protected. If you need to secure the client-server licensing communication/authentication, then SSL is great - you have an independent third party validating it. – Milen Jul 29 '15 at 13:33
  • OK - thanks Milen. Where would I start with regards to encrypting part or all of an application? – John W Jul 29 '15 at 14:14
  • Had a quick Google. I am guessing you mean something like Themida? On the face of it, that looks fairly simple to use, so not a great overhead - just €199 for a developer license, then €99/annum. I guess I need to try it out first really. Thanks again for your help. Any more suggestions, please let me know. – John W Jul 29 '15 at 14:30
  • I downloaded the trial of Themida. As soon as it had finished generating the protected application, Kaspersky popped up a warning that my machine was infected - tried disinfection - failed, and then deleted the file. I see that this is common, as much malware uses Themida to hide it's code. I've asked Themida for advice on what to do - some AV companies suggest that signing the application can remove the false positive issue - but I'm not completely sure on that. – John W Jul 29 '15 at 23:09

0 Answers0