Martin

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded. If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key. The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys. The only protection is the secret that your proparbly share across all installations. The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.

Hi Paul, that means the only real protection is a secret in the code. Theoretically as a not so nice guy you could set up your own license server that generates the signature and data by simply changing the public/privatekey on both ends. Then spoof the Server to your own license server with your own private key. The only thing preventing further spoofing is a shared secret implemented in the code of the application. Am I correct?

Hi, according to the following blog post from 2011 https://www.blesta.com/2012/03/30/blesta-3-0-software-licensing/ it is how the licensing addon work. Ive been wondering and cant get around how the public key is stored safely. Image the following Situation: You write an application and encrypt it with Ioncube/Zend, then you have the Blesta API send you the public key and you store it in the database if the installation. Then the rest of the Licensing works as supposed. Now someone comes to the idea and changes the public key saved in the database, he spoofs the Server and uses his own Private key to generate a signature. What would prevent this (except encryption of transmitted data by a password that is set in the product itself). I want to avoid storing encryption keys/passwords etc. in the software itself.