0

I also posted this thread on Unity's forum, but as it's more server/crypto oriented I'll ask here aswell.

As mentionned in the title, I'm using unity as a client, and connect to a nodeJS server using socket.io (with BestHTTP asset).

What I want to achieve : user1 get a license key (by email or w/e) that was signed by my server, enter the key in the app, client ask the server if the key is valid and has been signed, and if so user1's computer can play. This will only require an internet connexion when "registering" the license key, and then I'd store the key in a hashed file or something so user1 can play without contacting the server everytime. Simplified version : user1 only need to be connected once (the first time he launch the app), but I need to check at every launch if he's allowed to play.

Client-side (in Unity c#) is working fine, what I do is basically hashing the key and storing it in a file, then hashing that file to verify users don't modify it.

But then, I don't know what to do on server-side. Are there API that can achieve what I want to do ? Am I going in a wrong direction ? That's the first time I'm dealing with crypto, and I'm a bit lost :confused:

Any help would be greatly appreciated !

Jichael
  • 820
  • 6
  • 17
  • Can you please add your code to the question? What did you already try? What part of your proposed architecture is not clear to you? – n0idea Feb 14 '19 at 12:25
  • All the code already used is working, that is not the problem. I'm looking for a way to sign data server-side and verify it client-side without the need of being connected to internet, and don't know what I should use or if it is the good approach / if there is another way to do what I want. – Jichael Feb 14 '19 at 12:34

1 Answers1

1

Premise

Licensing your software can be either a simple or a pretty complex task: there's no "perfect" answer to that request, basically because every solution you'll choose will be "hackable" in some (easy or hard) way.

Plus, especially when dealing with cryptography, usually increasing complexity equals increasing time. What I'd suggest you is to focus on the value of what you're trying to protect, so you can decide what is worth implementing.

Licensing

Probably the easiest way is to implement a digitally-signed certificate that contains all the info about the licensed software (including other data that will help your system identify malicious behaviours). Using RSA should be a good way to go.

Here's a good answer that I found here on Stack Overflow about that idea (it is written in C# but you can analyze the architecture and build a nodejs app).

n0idea
  • 732
  • 1
  • 5
  • 14