Security

Dec 19, 2011 at 8:19 PM

Hi,

To implement this system do we need to set up any form of security?

What I mean is, if someone gained access to the source code could they somehow find their way to the server / database upon which details where being stored?

At the moment I'm setting up a WPF app to download license details from the server and for this I have been looking into securing another service that I've implemented to allow me to do that. That got me thinking if perhaps security features should be implemented upon the Activatar service also.

Sorry if this is a naive question, but I'm new to all this security stuff.

Malc

 

Coordinator
Jan 17, 2012 at 10:02 PM
Edited Jan 22, 2012 at 10:35 PM

Hi Malc,

Since the ProductKey and ProductLicense are encrypted using your own generated RSA private key, even if someone gain access to the source code, they cannot decrypt the information and hence, they cannot generate new ProductKeys or hack the ProductLicense.

Given said that, the less information the hacker has, the hardest for them to exploit it, so changing some parts of the code could be always a plus, though not necessarily needed. It is also true that a hacker will expend time depending on the benefits they get. If you are protecting a 1 million dollar license software your system will be potentially more vulnerable :)

There are only a few things to have in mind and not to forget:

1. Generate your own RSA pair key (public and private)
The source code comes with a RSA pair key that needs to be replaced for a new one. The public key will be distributed with your software, but the private key needs to be secret. If by mistake you distribute the private key, everybody will be able to generate valid product keys.

Please, refer to this question to see how to create a new RSA key.
http://activatar.codeplex.com/discussions/243046

2. Sign the Activatar.dll assembly
The Activatar.dll assembly needs to be distributed with your application. You need to sign the assembly to avoid tampering. Read below for details.

3. Delay the ProductKey activation
As a good practice, after the server validates and generates the Product License, wait a few seconds until return to the client. This will prevent a brute-force cracking, it is, a hacker trying random ProductKeys to be activated.

 

Some questions and answer that can clarify security aspects of this system:

Can a hacker build a valid ProductKey?
Since the hacker don't have your RSA private key, it is very very hard for a hacker to break it. If they know how to break a RSA Key they will probably try to hack a Bank transaction better than a product activation :)

Can a hacker try to activate random Product Keys?
Anyone can generate a random Product Key, but only your server, with the private RSA key, can validate it. You can easily detect if someone is trying to activate thousands of fake ProductKeys and put their IP address in a black list. A good practice could also be to put a delay after the validation (server side).

Can a hacker build a valid Product License?
The Product License is the file that the server sends to the client after activation and contains the information about the activation and if the software is legitimately licensed.
Again, since the Product License information is encoded using a RSA key, it is very very hard to modify it.

Can a hacker try to generate a random Product License?
To generate a random Product License, the hacker needs to create the ActivationInfo with valid information and generate a signature that matches that ActivationInfo. Since the signature is 128 bytes, the possibilities are, for a current computer, almost infinite.

Even if a hacker, with access to the source code, develop a program to generate and validate the ProductLicense, it will take, with some luck, years to get a pseudo-valid ProductLicense. Note also that the RSA algorithm is not especially fast, and takes more than 1 second to validate 1000 signatures.

Can a hacker overpass the Product License verification?
To understand this question, let’s imagine that the hacker has the source code and compile his own Activatar.dll that always return “Ok” to the verification. Then, replace the real Activatar.dll with the fake one.

Well, there is an easy solution to this scenario. Just signing the assembly will prevent this.
http://msdn.microsoft.com/en-us/library/ms247123(v=vs.80).aspx

 

Given said all this, no system is 100% secure and I won't recommend this for a nuclear missile activation :) but I beleave it's not worth for a hacker to crack this system to save a few dollars for a license :)

Please, if you and someone else see any posibility this system can be easily hacked, I will appreciate to be informed.

Thanks

 

May 3, 2012 at 8:34 AM

Dear Alvaroma.

The hacker can remover the  strong name assembly and then replace the real Activatar.dll with the fake one.

Also your solution are very good, please improve it.

Coordinator
May 4, 2012 at 2:09 AM
dungpv wrote:

The hacker can remover the  strong name assembly and then replace the real Activatar.dll with the fake one.

Hi Dungpv, I'm glad you like the solution.

Anyway, I'm not sure if I understand your comment. How can the hacker remove the strong name assembly and replace it? Your application will look for the signed assembly and will only work with the real assembly and not with the fake one.

Please, let me know if I misunderstood your question.

 

Feb 24, 2014 at 1:12 PM
Edited Feb 25, 2014 at 11:49 PM
Hi Alvaro,

Thank you for the great Activator project. I too am concerned about security.