1

After reading this post regarding the use ECC to implement the hashing using aa private key I set about trying to find an implementation of ECDH and came across BoucyCastle.

Unfortunately documentation is minimal (as in zerow!) and I'm unsure what I'm about to accomplish is completely correct/valid.

We want to simply hash 4 strings which will be the users registration information (Name, Company, their company ID and their account ID which are both 12 characters long) which will then compute a serial they can use to activate our software.

I have generated a key pair using PUTTYGEN.exe but I cannot workout how to apply this with BouncyCastle, which class can I use to get started? Are there any examples out there?

So far I've concatenated the information and computed a MD5 hash of it (using the .NET classes) I cannot use the new VISTA enhanced API functions as we target XP still - .NET 3.5.

Anyone have any ideas?

Community
  • 1
  • 1
Sarah Fordington
  • 439
  • 1
  • 6
  • 12
  • As an aside, what's to stop someone from replacing the public key used to verify the license information? I wouldn't go too far out of your way on this, since breaking the scheme wouldn't be difficult. If you're more familiar with another library or authentication scheme, use that instead. – erickson Dec 20 '09 at 06:02
  • Actually I thought of the same thing but I figured it couldn't be that easy to fool. I guess not! What does everyone think of the Xml Digital Signature that jspcal mentioned? – Sarah Fordington Dec 20 '09 at 12:19
  • Of course it's that easy to fool. That's why there is no viable DRM scheme. – erickson Dec 23 '09 at 05:07

2 Answers2

0

I think .NET has the RSACryptoServiceProvider class which is a full RSA implementation.

There's sample code for your particular application here:

http://www.codeproject.com/KB/security/xmldsiglic.aspx

In this example they use MS's sn.exe tool to create the key.

jspcal
  • 50,847
  • 7
  • 72
  • 76
0

So far I've concatenated the information and computed a MD5 hash of it (using the .NET classes).....
That statement in itself worries me. MD5 is seriously crackable - not just theoretically but practically. Please, please don't use MD5 for secure hashing. Use SHA-256 or SHA-512 and here's why

Also the post you linked is not quite true - yes symmetric algorithms use the same key to encrypt/decrypt but public/private key is not a magic bullet.

1) Public/private key is slow
2) Most publicc/private algorithms just encrypt the symmetric key and then use symmetric encryption for the data because it's much faster

The point is that a good hashing algorithm is non-reversible and hence very difficult to crack so is perfectly fine for your purposes. However, I'd suggest using a SALT, which is a cryptographically random number to add to your user data then hash that data as it makes your data much safer against dictionary attacks ( where hackers use well know terms and variants to crack passwords )

zebrabox
  • 5,694
  • 1
  • 28
  • 32