Use MSBuild to add a serial number and RSA private keys for each customer's copy of an application

Question

I need to embed private RSA keys in my application. My RSA keys are generated based on a product serial number and option. Example serial#1_opt1.private (this file contains a key I want to embed in the code) serial#1_opt1.public (if the user e.g. a hardware reseller needs access to the a restricted function I send him this file to unlock a particular option) Each customer needs/could need a different set of keys based on the options he is authorized to use.

There are a standard set of features in my application that I want everyone to have (basic control of the hardware) My vision is for the standard set of features the product will have no have a serial number and no embedded keys. So the none of the restricted function[s] will work but all the standard stuff will work. The program will have a version number but no serial number in the about/help section

If I need to enable the the restricted function[s] I compile the program using MSbuild with the serial number I generated for that customer on the command line. MSBuild will take the serial number and embed it where I can access it in my code I'm hoping it will end up in properties.settings file??? and put it in the var named serial number that would be blank by default. Now that MSBuild has put the serial number in the correct place I now want it to go look for the file serial#1_opt1.private with the private key[s] and put it/them somewhere? where I can access them......but hopefully not where they are easily found. When my application runs I use the private keys to encrypt "something" and if the user has the file[s] with the public keys he can decrypt that "something" which will allow him to use that particular option. If he has all the public key files for all the options then he can do anything I can to the hardware......as in screw it up so badly it has to be returned to the factory to be re-calibrated. Can some tell me if this is the correct approach? If not what would be the correct aproach? And if it is how how can I get MSBuild to do these tricks?

Answer 1

why don't go another way:

• embed a public key into your app (or just distribute it openly with your app)
• this public key can be identical for all customers
• if you need to give a customer some spcial option you create an XML
• that XML contains whatever options in a format you define
• that XML can contain anything in cleartext
• you sign that XML (create the signature with your private key which is NEVER distributed)
• your app can verify the XML is genuine by verifying the signature (for this it need the public key)

your customer can't create valid signatures based on the public key... if your hardware has some non-changeable serial number your app can read then I would put this hardware serial number into the XML too... this way one XML file can't be copied/used by different customers...

You can even extend this scheme by supplying customer specific public keys (and keeping the corresponding private keys private)... these can be distributed openly with the app without any need for hiding or MSBUILD trick since the public key being known to anyone is not a security risk at all...

Ideally you sign your app/assembly (for this you need a certificate) which provides some security against tampering with your app/assembly then you have something really solid without need for any "tricks"...