• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Encrypt a string
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypt a string

  • Subject: Re: Encrypt a string
  • From: Damien Bobillot <email@hidden>
  • Date: Fri, 18 Nov 2005 19:59:21 +0100

Andrea Salomoni wrote :

Why do you think it?

The user may don't have the rights to create a file inside the application bundle (it's the case for applications in /Applications/).

If for example I have to write a serial number in a plist file isn't better to write in a place that is difficult to access by user?

I suggest you to do something like this :
1) store a key SK in a static variable in your application code
2) compute a dynamic key DK different for every computer your application is install on (for instance, the computer serial number).
3) each user has a license number LN
4) when you ask the user to enter it's license code, check if it is valid, and store encrypt(LN,hash("SK.DK")) in the preference file.
5) to check if the license number is valid, compute decrypt(LN,hash ("SK.DK")) and check if it is a good license number.

encrypt/decrypt(data,key) is your symmetrical encryption/decryption algorithm. Don't directly use functions from libraries like openssl : it's easy to set a breakpoint on these functions and then dump the key, prefer using a implementation in a C file you add to your project.

hash(data), is a hash function, used to mix SK and DK together (for instance a md5 hash, using any md5.c file found on the internet).

In this case, and if the hacker don't try to disassemble the code, you only have to trust the man who install the application (and don't have the choice if you don't implement a network check), not the final user. A user may see the encrypted data, but cannot decrypt it. He may want to copy the preference file from one computer to another, but he cannot do that : it won't work because of DK. The only mean to install the app is to know a valid license number.

For more security, you may want to do point 4) in your own computer, using asymmetrical keys if you want, and then control on how many computers your program is installed by each user.

If the user is also the installer, don't try to do something complex, it won't work : in this case the user know the license number and may type it as much as he wants.

Il giorno 18/nov/05, alle ore 11:44, Scott Anguish ha scritto:

reading a file from within the application wrapper is fine, but writing to it is a definite no-no.

there are locations to store things on a per user or per-machine basis (~/Library/Application Support/YourApp/) 

Or the application's preference file.

--
Damien Bobillot

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >Encrypt a string (From: Andrea Salomoni <email@hidden>)


 >Re: Encrypt a string (From: Scott Anguish <email@hidden>)


 >Re: Encrypt a string (From: Andrea Salomoni <email@hidden>)






    

  • Prev by Date:
Re: Parsing cString - Silly question

    • 

  • Next by Date:
Fetching entities where optional attribute is set

    • 

  • Previous by thread:
Re: Encrypt a string

    • 

  • Next by thread:
Re: Encrypt a string

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •