1

I need to generate a license key for an application. I thought about using RSACryptoServiceProvider, but I noticed that the private key generated using ToXmlString(true) also contains the public key. The problem is that the application will be stored on the clients servers and I don't want them to be able to generate their own license key using the public key part from the key I generated.

For example if i have this private key

<RSAKeyValue>
  <Modulus>mqZY4yfKdHJ6gl/5elFgSXnDLztsj6fpCmjNymYyeWa/4qVA66fydrAE5Rl2OVoNCRUTpCUM8paZxh2eqza5lETYRdfRw+4FNu2rO13synPTKirck0JucCDXytQBZZnD4SFCljJr3NDlYveuEk7NsdeIsHYypXvPtURhkDtDGG8=</Modulus>
  <Exponent>AQAB</Exponent>
  <P>zD53GW+HevT5SaWsvLwoT/qUO5MZXgbg7ME1OLwmzd99nRZuIayhLrkYZ9MWNnL2BWLGcRbj7GlOXUY2ouqsfQ==</P>
  <Q>wdamjYch6EQgXDe6lA/zb8lAWxO+Djjkrtda2cjwXrMoLbJUKVo3z/pmWCnNX9I3v5PtM8YoL4Pp6zXcVuloWw==</Q>
  <DP>L7goe3jjXob994cN5MrRYF5bY8/qjV1uD+LUXH0ZU+BzqNAkyxlaT2BPo3JeLjqN4JRDaQjAF+xCsuhEu6u4wQ==</DP>
  <DQ>umTai8WiCWNZatP8Cly8ToZL6Ei3vZ1f6fEUX9AltCq7PBX7cDhc6xVyTN0FrFrNWN+6fMrT4b0Lty53zutreQ==</DQ>
  <InverseQ>g+DldM+/FD/3vEop5o4T2xjL8SIYSFY3kjPIrIxFkzpVGb98jHYT+JNjdezw2n78AawqUhRBLCgDnC6K2YmINQ==</InverseQ>
  <D>Crtoh7sHLbWUEuAeLALhr7end+ujyQRaA8LqJRWagxpCTrQxISlyhhIJBO0Taz94kBzKVCXOFDenTDxZ+n+9uRS9zlg1nE3thEqrWf/fOMB+H+49HF/stSCyFp2+xqKFPBzwL2hrdixsEe5beWaM8r1nLChKzG3/BbVlY5/a2GE=</D>
</RSAKeyValue>

is there a way to decrypt without it having the modulus and exponent tags in it?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Liviu Boboia
  • 1,734
  • 1
  • 10
  • 21
  • It is stupid to use PKI for licenses in .Net app. It can be decompiled easily and the licensing system will be broken. Use AES key embedded in application. – i486 May 26 '15 at 12:48

1 Answers1

0

You can only decrypt data if you have the private key. So I would prefer not to pass the key to your client devices. Otherwise anyone could get access to the pk and create it's own license. It would make more sense to create your license and sign it with your private key. Your client application will then check the valid signature only - I think this is best practice from what I have seen on several licensing service implementations.

Sebastian
  • 379
  • 1
  • 7
  • My problem is that i also need to encode some data inside the license key – Liviu Boboia Jan 12 '15 at 12:20
  • Why do you need to encode it? I can only imagine license details, that both you and your customer know - so signing the details should be 'safe' from manipulation, since you are the only one to sign them with your private key. Or what do you mean? – Sebastian Jan 12 '15 at 12:23
  • The application is split into modules and i need to encode the number of users for each of the modules and the date until the license if valid – Liviu Boboia Jan 12 '15 at 12:29
  • But why do you need to encode it? I might my cleartext or xml or whatever your application may parse - you only have to check, if the license content has a valid signature. – Sebastian Jan 12 '15 at 12:31
  • The application will be deployed on the clients servers, the database will also be there so i need a way to see if they didn't add more users than they have bought licenses for. – Liviu Boboia Jan 12 '15 at 12:36
  • this will be ensured by the signature - if they change values inside your content section, the signature will not match. Look here: http://stackoverflow.com/questions/8437288/signing-and-verifying-signatures-with-rsa-c-sharp for code samples – Sebastian Jan 12 '15 at 12:38
  • I think i get it now i give them the original message and the signed message verify it and then i parse the original message – Liviu Boboia Jan 12 '15 at 12:51