Re: Serial key Framework for cocoa?
Re: Serial key Framework for cocoa?
- Subject: Re: Serial key Framework for cocoa?
- From: William Squires <email@hidden>
- Date: Thu, 25 Jan 2007 22:41:27 -0600
On Jan 25, 2007, at 6:16 PM, Andrew Farmer wrote:
On 25 Jan 07, at 09:54, Stefan wrote:
Final technical remark: Better don't use ObjC to verify a key, but
standard C
More specifically: Don't *ever* generate the key within your
program and compare the user's input against it. Schemes that work
this way are trivial to break: all an intrepid hacker has to do is
find where it's generated, interrupt your program there, and copy
the output. Come up with some other, more indirect way of checking
the key's validity.
Similarly, returning a TRUE/FALSE status from an "isRegistered"
function is asking for trouble. It's pretty trivial to replace a
complex function with a small stub that'll return a fixed value.
Same goes for checking its return value in a single location (at
startup or the like).
Which raises a question: are the ObjC constants "Yes" and "No" a
true boolean data type, or just mapped to an integral data type as in
C/C++? If they're just a form of integer, then you can 'redefine'
what an acceptable 'true' answer is.
Perhaps by using a rotating key for generating the 'true' status
(say, with a Linear Feedback Shift Register in 32 bits), you could
make it a lot harder to just replace it with a stub that returns a
constant value. Even better if the key is used in a computation
somehow (perhaps to decrypt some other data); then a hacker would
have to figure out what relevance the return value has (once they try
- and fail - with the obvious 'replace with a stub' method!) i.e.
they'll have to disassemble and reverse-engineer it to understand how
it works. Most just want a 'quickie' fix, such as a 'usable-
everywhere keycode generator' or some such.
But... as this isn't really a Cocoa topic, it's probably best
taken off-list.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
40satx.rr.com
This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden