Securing my application...
- I am working on software that will be distributed using the clickone deployment.
I want the software to be used only by persons (computers) I grant access to.
For this to work I want to "disable" the application unless the user sends me it's cpu id. From the cpu-id I generate a code using encryption (provided by the .net classes) and send this code to the user, who fills it in a form. This code is stored in a text file. Each time the software is run, it checks if the cpu-id is identical to the encrypted cpu-id stored in the textfile.
But then my software needs to decode the cpu-id in the textfile and thus needs to know the password I used for encrypting it.... But how do I store the password in my application ? I have been checking a lot of articles on the net, explaining this, but the last part (of storing the key in the application) is still a bit of a mystery to me. I think it has to do with password hashing, but the logic behind me just doesn't stick with me...
Can anyone give me some clues ?
Tutte le risposte
- The best way to do this is to use one of the asymmetric methods. Since the private key is needed to encrypt (and the public key to decrypt) you can place the public key anywhere in your code (constant, a text file, wherever). Even if the user disassembles your code, the public key won't allow him to generate new codes to use for registration.
Ron Whittle - If the post is helpful or answers your question, please mark it as such. Not As Brightly Lit The best way to do this is to use one of the asymmetric methods. Since the private key is needed to encrypt (and the public key to decrypt) you can place the public key anywhere in your code (constant, a text file, wherever). Even if the user disassembles your code, the public key won't allow him to generate new codes to use for registration.
I found out the private key is needed to decrypt and encryption with the public key.... soo this is not going to work the way I want it to work....
Ron Whittle - If the post is helpful or answers your question, please mark it as such. Not As Brightly Lit- Doesn't matter. What you are reading is for someone sending a message. You'll want to encrypt with the recipients public key and only they will be able to decrypt it.
In your case, you will be holding the 'public' key, and the recipient the private key. Don't be confused by the names public/private as they are interchangeable in most asymmetric methods. You'll be keeping what is refered to as the public key, private, and making the private key public (in your code). It will still work as there is no simple method to determine the public key from the private key.
Ron Whittle - If the post is helpful or answers your question, please mark it as such. Not As Brightly Lit That works but you need a key for each of the users. If you want you can sign the CPU id with your public key, since you don't really need encryption here, you're not trying to hide the CPU id. Then anyone (your application) can take the CPU id from the computer and the signature you created and check it. One signature will work with only one CPU id, and you only need one private/public key pair.
