[Licensing Addon Question]

On 7.11.2017 at 12:29 AM, Paul said:

The license server has the private key, so the client (public key) can decrypt but not encrypt license data. This makes it difficult to spoof, as only the license server can sign messages, and there is no need to encrypt the public key, it's the public key. You can't simply spoof the license server and generate new keys because there is also a shared secret that is embedded in your code, that you would ideally encode before distribution.

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded.

If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key.

The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys.

The only protection is the secret that your proparbly share across all installations. 

The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.

[Licensing Addon Question]

Hi Paul, that means the only real protection is a secret in the code. Theoretically as a not so nice guy you could set up your own license server that generates the signature and data by simply changing the public/privatekey on both ends. Then spoof the Server to your own license server with your own private key.

The only thing preventing further spoofing is a shared secret implemented in the code of the application.

Am I correct?

[Licensing Addon Question]

Hi,

according to the following blog post from 2011 https://www.blesta.com/2012/03/30/blesta-3-0-software-licensing/ it is how the licensing addon work. Ive been wondering and cant get around how the public key is stored safely.

Image the following Situation:

You write an application and encrypt it with Ioncube/Zend, then you have the Blesta API send you the public key and you store it in the database if the installation. Then the rest of the Licensing works as supposed.

Now someone comes to the idea and changes the public key saved in the database, he spoofs the Server and uses his own Private key to generate a signature. What would prevent this (except encryption of transmitted data by a password that is set in the product itself). I want to avoid storing encryption keys/passwords etc. in the software itself.