Re: [little OT] Licensing/Implementing in Cocoa/Obj-C
Re: [little OT] Licensing/Implementing in Cocoa/Obj-C
- Subject: Re: [little OT] Licensing/Implementing in Cocoa/Obj-C
- From: Michael Hall <email@hidden>
- Date: Tue, 20 Apr 2004 11:32:29 -0500
On Tuesday, April 20, 2004, at 06:18 AM, Nicko van Someren wrote:
(see the paper I wrote with Adi Shamir on the subject[2]).
...
[1]
file:///Developer/Documentation/Security/Reference/
certifkeytrustservices/index.html
[2] http://www.ncipher.com/scripts/download.php?document=40 (sorry,
you have to register to get the paper here)
[3] http://pari.math.u-bordeaux.fr/
Maybe because I have done more java coding than about anything else
lately but my thought to how I would do this is put the license or key
in a zip or jar file.
Maybe because I have some code that I think is better able to update
zip and jar files than the standard java classes. In this way making
them more suitable as actual data files than simply as archive files. I
had looked at code at one point where you would have a 'resource' zip
or jar file that somewhat followed the idea that application bundles
follow on the Mac. A place to to put all the loose odds and ends files
associated with your application that would be somewhat 'invisible' to
the user.
I briefly scanned your paper wondering how my idea would stand up in
relation to it as a place to put the license or key. I'm sure the paper
merits more than a brief scan but this isn't really a problem I am at
this point I have a need to solve. I thought my idea held up fairly
well. You discuss hiding or finding I think specifically what would be
RSA private keys. This against a lunchtime attack where someone with
physical access to the computer for a short period of time tries to
scan for the RSA private key.
First off I think the compression would somewhat 'encrypt' the key
against someone running this attack and not taking it into account.
Compression is not RSA and it would be possible for someone realizing
they were scanning a zip file to decompress and then apply the trial
and error key pair tests or entropy checks against the decompressed
data. But that means they have to decompress every zip they run into,
it does make things somewhat more difficult for them and if they don't
do this I think impossible?
Also I think this would go a little ways in preventing the 'clear text'
version of the key from ending up getting randomly written to some swap
area on the machine not part of any file known to the user. Or at
least it would have a good chance of ending up there only in it's
compressed form.
I didn't mention this to the thread before because I thought it
somewhat off-topic since zips/jars are probably more common to java
programming than Cocoa but since I thought it still held up somewhat in
regards to your paper I thought I'd mention it.
Mike Hall <mikehall at spacestar dot net>
<
http://www.spacestar.net/users/mikehall>
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.