5

I'm writing a web app in ASP.Net that creates a licence key for a Windows app written in Delphi. For simplicity I'm going to use a email address and date.

I want to encrypt it in C# and email that info to the person then when the Windows app starts up the person enters in the encrypted string.

Every time the Windows app starts it checks that licence by decrypting it and comparing to todays date.

How can I do this to ensure the C# encryption will decrpyt succesffuly in Delphi?

Jon
  • 38,814
  • 81
  • 233
  • 382
  • 10
    Use a standard algorithm. – Nate Jun 02 '11 at 19:40
  • 5
    For this level of security you may as well use ROT-13. There are licensing tool sets on the market ([e.g.](http://www.ionworx.com/icelicense.html)), for those who wish to pay for them. But if you're going to roll your own scheme, why bother with strong encryption? It doesn't help you if the rest of the security chain is weak. – Craig Stuntz Jun 02 '11 at 19:59
  • 1
    I agree with Craig and think that you don't need strong encryption alone. Although he has put this almost flippantly, really, it sounds like you're thinking that you can simply flip some encryption in there and have some kind of DRM/Activation system? That's a LOT more involved than simply encrypting something in C# and decrypting it in Delphi. – Warren P Jun 03 '11 at 04:35

4 Answers4

8

AES for Delphi and AES for C#.

Community
  • 1
  • 1
Farshid Zaker
  • 1,960
  • 2
  • 22
  • 39
8

"the world was full of bad security systems designed by people who read Applied Cryptography"

While the trivial answer is 'use the same algorithm and make sure you have the same keys and initial vector', this answer only exposes the true problem you are going to have: How are you going to protect the encryption key? Mail it along with the license? Embed it in the application? The truth is that there is no protocol that can bootstrap itself w/o a root of trust, either a public trusted authority or a shared secret. A shared secret is easy to code, but complete useless in practice (which means AES, 3DES, XDES or any other similar cipher are not the answer), so you need an scheme that starts based on public key cryptography. For such, to encrypt something for the beneficiary of the license, you need the public key of the said beneficiary, which would make provisioning difficult (license site sends public key, you encrypt license, send email etc). It is much better to send the license in clear text, but signed with your private key. Then your application can validate the signature on the license and use it, if not tampered with.

S-MIME is such a scheme. PGP is just as good. Writing your own code in C# and Delphi is possible, but strongly discouraged. See Cryptographic Signatures.

Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
2

You can use standard RSA or DSA signature algorithms to do what you want. For C#, these are standard algorithms built into the runtime. For Delphi, you have some choices. See Free Encryption library for Delphi.

Once you have chosen an encryption library for Delphi, you can now do the following:

  1. The C# server signs the user's e-mail address and date using the chosen signature algorithm with your private key.
  2. The Delphi client verifies the license using the same signature algorithm.
  3. Once the Delphi client knows the signature is valid, you can then test the e-mail address / date and decide whether or not to allow your program to run.

I have done exactly the kind of signature verification you want/need using the DSA algorithm, LockBox, and C#.

One thing to be aware of is that C# encryption uses big-endian numbers, while LockBox / Windows CryptoAPI uses little-endian numbers. This probably means you need to reverse endian-ness of both the public key variables and the signature itself before sending it to the Delphi client for verification. Check your crypto library documentation.

One last note: others have proposed using symmetric encryption algorithms like AES / 3DES / etc. The problem with this approach is that your "secret" encryption key is shared between server and client. It is possible that someone could recover the key by reverse-engineering your compiled EXE and then create a "key generator" - a worst-case scenario being a fake activation server that passes out "authentic" encrypted licenses. By using assymetric crypto and keeping the private key secret, you won't have this problem. Users would have to crack every new version of your EXE or else pass around signed authentic licenses - much more inconvenient.

Community
  • 1
  • 1
James Johnston
  • 9,264
  • 9
  • 48
  • 76
  • More or less. I used it for verifying signatures on EXE files for an automatic update feature - to be sure that the updates were authentic. The principles are the same and the code could easily be adapted for your application - just sign / check e-mail address & date instead of the EXE file. One other difference is that I actually used C++ Builder instead of Delphi - but the library I used - LockBox - can be used with either and the code would be the same. – James Johnston Jun 02 '11 at 20:28
-1

Use the same encryption / decryption algorithm in both delphi and c#.

You can either find the code for an encryption algorithm for C# and then convert the code in the decryption algorithm into Delphi. Likely if you pick a popular encryption you'll be able to find both encryption and decryption algorithms already in many different languages.

Tim
  • 1,549
  • 1
  • 20
  • 37
  • Is there not a standard one that I can use in both languages. Dont want to write my own algorithm – Jon Jun 02 '11 at 19:59