-1

Over the past several days I have been reading quite a few post on the topic of RSA encryption. I have learned quite a bit but unfortunately as this is new to me I am still neck deep in new information and trying to get everything sorted out.

For some background here are the posts / articles I have read and I am drawing upon to create my own solution (in no particular order).

One, Two, Three, Four, and others.

This one was by far the most helpful to me

I actually have a shaky grasp on the process now which leads me to my next phase...splitting the process up. See I found these two post about using the RSA for licensing which is my end game. License1, License 2. Link 1 had a codeproject that I downloaded and was helpful.

I was thinking (definitely open to suggestion) to have a split licensing scheme.

I have several plugins / widget things that enhance web sites. I was going to publish the public key in the plugin.

The plugin would then "phone home" with the public key and my server would take the public key and match it up and provide an "authorization" token for a period of time...trial period, 1 year subscription etc.

The question for me comes in as the codeproject download in License1 above has additional components to the "public" portion like a hardware signature.

I understand the idea of a hardware signature but not sure how it fits in with the rest of the RSA scheme.

So in conclusion do I understand correctly that RSA will just encrypt the data over the wire and I still need to have some form of licensing. That being true my license request from the client could be encrypted using the public key embedded. Decrypted at the server...interpreted but then the response back to the requestor would be unencrypted?

else I have to publish the RSA encryption / decryption process as well as public and private key in the plugin / widget??

What am I missing?

Thank You

Community
  • 1
  • 1
GPGVM
  • 5,515
  • 10
  • 56
  • 97
  • Downvote...care to comment? If this is such a dumb or off topic question.....educate me. – GPGVM Nov 04 '14 at 16:06
  • 1
    I wasn't the downvoter, but totally agree that your question is poorly formulated: it's not clear what exactly are you asking about (at least without reading all those articles), besides wanting someone to architect a licensing schema for you. Only after reading the answer by *Jim Flood* it became apparent that you were simply confused about where to place your private and public keys. – Anton Samsonov Nov 05 '14 at 17:57
  • @anton Thank you for the feedback. Now I can reread and learn how to better formulate my question. – GPGVM Nov 05 '14 at 18:22

1 Answers1

2

Have your server sign a license token using an RSA private key which remains under lock and key on your server. Embed the public key in your app. Now, with the public key, which anybody can see, your app can verify the signature on the license token and know that it came from the server. There is no need to encrypt anything.

Do not ever embed the private key in the app. This is completely insecure. Given only the private key it is trivial to calculate the public key.

Jim Flood
  • 8,144
  • 3
  • 36
  • 48