Closed Halecoder closed 1 month ago
Please do not use GitHub issues for support or questions. We have a forum, a Discord, and email for support. GitHub should only be used for issues and feature requests.
Regardless, after verifying the signature of the response, which includes verifying the integrity of the Date
header (i.e. it can't be changed without invalidating the signature), you can assert the Date
header is within e.g. 5 minutes from the current system time, otherwise reject it as too old. This is something you'll need to do within your own application code. It isn't something we can do for you as an API provider.
As for clock tampering, we have a few tips on that here. Without full control of the system, it's not possible to fully prevent clock tampering 100%.
First of all thanks for your open source examples, I borrowed the code from the two libraries below and tested it in the electron project
I used the response signature, when I activated the product with the license, I got the header and content of the response through the packet capture, then I suspended the license in KeyGen Cloud, opened the packet capture tool, re-validated the request, and it passed
I also read the documentation, keygen is an excellent product, it also mentions the description of replay attacks, and I saw a sentence:
so how do I prevent replay attacks next? how to verify the time problem (including preventing the client from modifying the time by itself), or does the keygen server have relevant functions?