Re: Registering software
Re: Registering software
- Subject: Re: Registering software
- From: Nicko van Someren <email@hidden>
- Date: Mon, 13 Mar 2006 23:20:29 +0000
On 13 Mar 2006, at 18:53, Finlay Dobbie wrote:
On 13/03/06, Marcus S. Zarra <email@hidden> wrote:
...
What would your suggestion be for
a registration schema for an Objective-C/Cocoa application?
Something home-grown. Be creative.
I disagree. Designing a good system is complex, time-consuming and
easy to do wrong. Furthermore, security through obscurity just makes
your application a more interesting target for hackers.
Securest form is probably the static library "Carbon" implementation,
Certainly statically linked C code is going to be a much better
option than an Objective-C framework.
but even then it is fairly trivial to patch the binary (you know what
the implementation looks like in machine code, just do a find &
replace).
I think you need to consider exactly what you are trying to protect
against. What's the threat model? The vast majority of prospective
customers will not patch binaries. In practice fairly few people
download illegal Warez, so unless you are trying to ring every last
penny out of your insanely desirable program then actually your
efforts are probably not best spent trying to make your program
entirely hack-proof (which you'll never achieve anyway). Instead you
should concern yourself with people passing the program around to
their friends. In that case you want to make sure that the
registration key binds to the user details and that these are
displayed prominently. You could consider comparing the name in the
registration against the value given by NSFullUserName() and asking
flagging inconsistency, though having a re-registration system will
save you the ire of some people who get married, get divorced or hate
their parents. You might consider nagging the user if they have an
unregistered copy rather than crippling the software (personally I
find trying out software which has features disabled to be
uninformative).
The whole thing about "RSA encryption" and suchlike is clearly
irrelevant.
No it's not. If you use a symmetric encryption system or hash
function to make registration codes then reverse engineering of the
application allows an attacker to generate new registration codes
without needing to alter the application. If you use an asymmetric
system (such as an RSA signature) then mere observation of the
application code does not give the attacker the power to make new
codes. Thus the attacker either needs to distribute whole, hacked
applications or they end up displaying the name and email address of
the user who leaked their registration. I would therefore recommend
that you go for a digital signature based scheme. Of course just
because the system uses RSA signatures does not mean it's any good,
but it's certainly a point in its favour.
Nicko
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden