Jump to content
  • 0

Licensing Addon Question


Martin

Question

Hi,

according to the following blog post from 2011 https://www.blesta.com/2012/03/30/blesta-3-0-software-licensing/ it is how the licensing addon work. Ive been wondering and cant get around how the public key is stored safely.

Image the following Situation:

You write an application and encrypt it with Ioncube/Zend, then you have the Blesta API send you the public key and you store it in the database if the installation. Then the rest of the Licensing works as supposed.

Now someone comes to the idea and changes the public key saved in the database, he spoofs the Server and uses his own Private key to generate a signature. What would prevent this (except encryption of transmitted data by a password that is set in the product itself). I want to avoid storing encryption keys/passwords etc. in the software itself.

 

Link to comment
Share on other sites

7 answers to this question

Recommended Posts

  • 1
1 hour ago, Martin said:

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded.

If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key.

The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys.

The only protection is the secret that your proparbly share across all installations. 

The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.

All licensing can be circumvented. Replacing keys with your own keys is not simple, most people do not have the expertise to do that and to spoof a license server. And, none of that can be done without decoding the files first. Files must be decoded for that. (in the case of Blesta, the 3 license files) Reverse engineering the code for ANY software product allows for nulling the software. It's much easier to null it than to spoof a license server, so nobody is going to do that unless for research.

If you find a way to prevent piracy 100%, let me know privately and let's become billionaires together.

We have circumvented 2 of our competitors (one ryhmes with wimps and the other thinks they are an executive) without decoding. None of the techniques required to circumvent their licensing work on Blesta.. and once the code is reversed engineered, it's trivial to null - any software.

Link to comment
Share on other sites

  • 0

The license server has the private key, so the client (public key) can decrypt but not encrypt license data. This makes it difficult to spoof, as only the license server can sign messages, and there is no need to encrypt the public key, it's the public key. You can't simply spoof the license server and generate new keys because there is also a shared secret that is embedded in your code, that you would ideally encode before distribution.

Link to comment
Share on other sites

  • 0

Hi Paul, that means the only real protection is a secret in the code. Theoretically as a not so nice guy you could set up your own license server that generates the signature and data by simply changing the public/privatekey on both ends. Then spoof the Server to your own license server with your own private key.

The only thing preventing further spoofing is a shared secret implemented in the code of the application.

Am I correct?

Link to comment
Share on other sites

  • 0
On 11/7/2017 at 12:25 AM, Martin said:

The only thing preventing further spoofing is a shared secret implemented in the code of the application.

If you are using the module as is that is the only part that is really stopping you from using a different license server.  Once the public key is pulled/saved it becomes a bit harder to switch as well unless you are clearing the locally stored info.

Link to comment
Share on other sites

  • 0

Can We are done with theme with automatic updater License key generation & checking possible via Licensing Addon

License key generation
Remote license activation
Remote license deactivation
Remote license checking
Automatic upgrade system for WP plugins and themes
License activation logs
Automatic license expiration
Automatic license renewal reminders
License upgrades system
Integrates with Recurring Payments for automatic license renewals
the license is locked to a single domain and folder.If the site is moved they will need to reissue the license.

Link to comment
Share on other sites

  • 0
On 7.11.2017 at 12:29 AM, Paul said:

The license server has the private key, so the client (public key) can decrypt but not encrypt license data. This makes it difficult to spoof, as only the license server can sign messages, and there is no need to encrypt the public key, it's the public key. You can't simply spoof the license server and generate new keys because there is also a shared secret that is embedded in your code, that you would ideally encode before distribution.

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded.

If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key.

The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys.

The only protection is the secret that your proparbly share across all installations. 

The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...