dnauck
commented
9 years ago Hello,
the discussion is only available/visible to paying customers of pluralsight. Can you please post some more details here?
Thanks.
Open noontz opened 9 years ago
dnauck
commented
9 years ago Hello,
the discussion is only available/visible to paying customers of pluralsight. Can you please post some more details here?
Thanks.
noontz
commented
9 years ago Sorry! Here´s an extract of the essential part of the discussion.. Let me Know if something is unclear.
Marco Mansi Mar 20, 2014 @FDeitelhoff @Marco Mansi Tnx for your reply.
I try to explain my concerns better, using the following situation:
Let's say that the public key for my software resides in a config text file, which can be easily changed/overwritten.
Could this situation be possible?
FlagShareLikeReply FDeitelhoff FDeitelhoff Mar 21, 2014 Hi @Marco Mansi,
oh yes. Haven't thought about this scenario yet.
I think this could be a valid attack vector if the public key is changeable.
On the other side: if the attacker has the knowledge to create a new key pair and signature with Portable.Licensing, he's maybe able to decompile your assembly.
But I think the public key should be integrated into the application so these scenarios aren't that easy.
Thanks for mention this. I'll keep that in my mind in the future and in future course about this topic.
Cheers,
Fabian
FlagShare1Marco MansiLikeReply Fedaykin Fedaykin Feb 9, 2015 @FDeitelhoff @Marco Mansi
Helo guys, I came here with this exact scenario in mind, the question: how can I protect my public key from being changed on my software?
Fabian, any updates on this?
Thanks, and congrats on the course.
FlagShareLikeReply Steffen DyhrNielsen Steffen DyhrNielsen 3 hours ago @Fedaykin @FDeitelhoff @Marco Mansi
It seems this situation could be avoided if an encrypted attribute was embedded in the signature?
Only the original license generator code would know how to set this attribute correct?
dnauck
commented
9 years ago So if i understand you correctly you want to prevent the user from changing the public key, that is delivered within your application?
noontz
commented
9 years ago I´m not sure that is feasible ( or possible ).. I´d like to prevent the scenario described by Marco Mansi, and just assume it might be done by embedding a custom encrypted attribute in the license signature
dnauck
commented
9 years ago That case was also asked in issue #11
You cannot make sure that someone can't hack your application on his computer. Even if you sign the assembly and/or encrypt the pub key, how can you ensure that it is not manipulated in memory?
So please read my answer on issue #11 and don't waste too much time in doing stuff that can be cracked.
noontz
commented
9 years ago OK... Thx...
dnauck
commented
9 years ago @noontz what kind of application do you have that you think someone will disassemble it and change the pub key or even remove the license check at all?
Is it used in an environment where the user has internet access all the time? Is it a web application or desktop app?
maybe we can find a solution that is secure enough for your needs.
fdeitelhoff
commented
9 years ago @dnauck Thanks for stepping in the discussion. I was way to busy due to my study.
@noontz I think and hope dnauck has answered the question properly from your point of view. This security stuff is a problem and as developers we can't be 100% sure that our application won't be hacked in one way.
I know this specific topic isn't covered well enough in the pluralsight course. I'm working on a refreshed version and thinking about an additional one for the server side like self implemented license servers and so on. But this is just an extra obstacle. Even a remote server can't give use 100% security.
Cheers, Fabian
http://www.pluralsight.com/courses/discussion/licensing-dotnet-applications
Hi.. Guess this discussion actually belongs here.
Is my comment valid?
Cheers & and thanks for portable.licensing
Steffen