Any public key/license will work? Doesn't enforce licensing?

[sparra1000]

What's stopping anyone from making there own public key file/license file to replace the public key distributed with your applications? What am I not seeing?

All someone needs to do it create a new key/license with your library
var keyGenerator = Portable.Licensing.Security.Cryptography.KeyGenerator.Create();
var keyPair = keyGenerator.GenerateKeyPair();
var privateKey = keyPair.ToEncryptedPrivateKeyString(passPhrase);
var publicKey = keyPair.ToPublicKeyString();

Make a new license like the one distributed with application
var license = License.New()
.WithUniqueIdentifier(Guid.NewGuid())
.As(LicenseType.Trial)
.ExpiresAt(DateTime.Now.AddDays(30))
.WithMaximumUtilization(5)
.WithProductFeatures(new Dictionary<string, string>
{
{"Sales Module", "yes"},
{"Purchase Module", "yes"},
{"Maximum Transactions", "10000"}
})
.LicensedTo("John Doe", "[email protected]")
.CreateAndSignWithPrivateKey(privateKey, passPhrase);

Copy that pub key into the application to replace the distributed public key and they can use a new license whenever they want. All they need to do is open the license file to see the format to recreate. I don't see how this enforced licensing.

The only way I see to make it more secure is to include the public key as a string in the application so it can't be replaced easily.

Do I understand this correctly?

[caverna]

Normally it's the inverse...
You burry the PRIVATE key inside your application the way you think it's best,
This way, you'll pack your information in a way that only you application can unpack.
Look for at PS3 unlock and you'll find more information about that.
But I have to inform you, if someone want's to break your license, they eventually will, because you can't count with a dedicated CPU to hold your key like PS3 do... ;-)

[sparra1000]

@caverna I get what you're saying, I know programs can be cracked but the instructions for Portable.Licensing suggest that you might as was well not have a license following their instructions. All you need to do is make a new one using their library, you don't even need to crack the program.

This is from the Git Portable.Licensing instructions:

"Store the private key securely and distribute the public key with your product. Normally you create one key pair for each product, otherwise it is possible to use a license with all products using the same key pair. If you want your customer to buy a new license on each major release you can create a key pair for each release and product."

[caverna]

@sparra1000 think this way: your program has a private key inside it (deep burry, I hope), but when you create a license information, you'll encode using the public key of this pair...
Another person is able to create a new pair of keys (that's not needed by the nature of pgp), but as they don't have your application private key (I suppose that you burried it well, right?) no one is able to "open" your package to see how you encode your license information and here is where security stays in fact!
Search in youtube for how pgp works, you'll find a lot of interesting things related to the behavior of this tool...

[sparra1000]

@caverna I understand what you're saying but my issue is with Portable.Licensing and how they instruct to use their library. Portable.Licensing doesn't mention ever putting the private key in the program. They only say to distribute the public key and license file with the application to license. This is the code they use for an example, there is no private key:

Store the private key securely and distribute the public key with your product.

var validationFailures = license.Validate().ExpirationDate() .When(lic => lic.Type == LicenseType.Trial) .And() .Signature(publicKey) .AssertValidLicense();

[dnauck]

Exactly, the private key is for creating/signing new licenses. The public key is for validating licenses/signatures.

So never ever distribute your private key to the public or within your application.

[sparra1000]

@dnauck I'm doing exactly as your instructions say and it works but my original issue/question is still unanswered. My issue is, I don't see how this licensing strategy prevents anyone from using your library to generate a new public key and license to be used for my product. If a public key file and license file are read in from an application, anyone can put a new combination pair in its place. Is that correct?

This will hopefully explain my question:

1. I've integrated Portable.Licensing as described into an ASP.NET Web Application.
2. I send the customer the generated "license file" and a "public key file" .
3. The customer copies the license file and public key file into the Web Application directory to be read by:

string licenceXML = File.ReadAllText(Server.MapPath("~/license.lic"));
string publicKey = File.ReadAllText(Server.MapPath("~/license.pub"));

var license = License.Load(LicenseXML);

var validationFailures = license.Validate().ExpirationDate() .When(lic => lic.Type == LicenseType.Trial) .And() .Signature(publicKey) .AssertValidLicense();

4. So anyone can open up license.lic, recreate it using Portable.Licensing and a new private/public key generation, then overwrite the "valid" license.lic and license.pub files in the application directory. Therefore would never need to purchase a new license and use this application as much as they want. Is that right?

How do you enforce that the license.lic/license.pub files I create are the only one that can be used with the distributed product? It seems that you can't. Am I missing something?

[vovikdrg]

I am just thinking what is stopping to download sources recompile and drop dlls without assertion?

[616b2f]

@sparra1000 i think you need to compile your public key in your web application. If you provide your public key as file as you did, then you are right it can be replaced as you described.

@vovikdrg i guess, you would need to sign you complete application and all DLLs you use in it to prevent this.