Software license decryption with a public key stored in the application binary

StackOverflow https://stackoverflow.com/questions/14814235

Question

With reference to the answer of this question I can not understand how can the software licensing scheme works if the Private Key is kept on the license server and the public key is shipped in the application executable, and not vice verse.

I'm trying to do the following software licensing scheme:

  1. User gets a Product ID (based on GUID) upon purchase and uses this inside the application to activate it.
  2. The application connects to the license server which sends back encrypted text using RSA public key. This text (license) will be stored on the user's hard disk.
  3. Each time the application starts it needs to decrypt this license using RSA private key, in order to extract different parameters like product edition, product limitations, registered to what company etc.

How can the application decrypt this license text if it does not have the private key but the public key?

Thanks!

EDIT:

  1. If the key used to encrypt the license is available only on the server side and not to the public, can we call this a private key? In this case, if one side has the key for encryption and the other side (the public) has the key for decryption, can the side that has the key for decryption obtain the key for encryption? The concern is based on the various topics on stackoverflow that it's not that difficult to generate the public key given the private key. If you have the private key, you effectively can have both keys.
  2. The idea is that once the software is activated it should no longer need to connect to the license server.
Was it helpful?

Solution

The application should store its details in plain text.

When registering, the server should sign those details (including machine identification) using the private key.

Each time the application starts, it should verify that signature using the public key.

OTHER TIPS

I don't really see the need for all this stuff.

Why not simply establish a connection to the server at validation time, have the server generate a file with all the parameters you want in it (in plain text even) and then have the server sign that file and return it to the software?

The client can read the file, and then simply validate te signature using one of the many digital signature algorithms that are out there.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top