firewalker

I have encrypted a settings file that contains the license code for a shareware application. The encryption key for that file is hard-coded into the EXE.

1. Is that the right way to go about it

2. How do you prevent the code from being decompiled to retrieve the encryption key

Even 3rd party licensing components and code obfuscators that do string encryption must run into this problem. Where to hide the original key



Re: Visual C# General Concealing the encryption key

timvw

In http://www.leastprivilege.com/TokenDecryptionServiceForCardSpace.aspx they are using a service that has access to the private key.. And that service handles the decryption requests so that your webservice process doesn't need access to the key.. All in all, i think this is one of the better solutions..





Re: Visual C# General Concealing the encryption key

ben2004uk

By using Reflector/reflection someone would be able to view the hardcoded string - so this isn't a great way to do it. Obfuscation could help to a point, but thats still easily workarounded.

I think cardspace has a good approach, but you need to be careful that the WS isn't public assessible and that anyone can access the key via it - or by sniffing the network.

EDIT: I haven't had chance to check, but doesn't Windows MarketPlace help out with licensing and this kind of issue One way could be that you give the license key, then this goes off to the WS for validation/number of times already licensed.. Then you can track whats going on. Maybe Project Glidepath would have the answer... seems the kind of problem which it would solve. Would be surprised if Microsoft haven't got a solution for ISVs - if they haven't, then they should have...