Best place to put key or password used for encryption? [closed]

问题

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 4 years ago.

I am making an activation server and the client will have to send infos to the activation server which send back the encrypted license file. However, in order to decrypt that file.. the client need the key or password.

What would be the best place to to put key or password used for encryption ? or else even better what would be the best way to transfer that key or password ?

Thanks!

回答1:

The client application has a server address which it will connect to, sending whatever information is needed (I assume here you are sending the client's config file). It can also know in advance the public key of the server in the config file.

The server uses its private key to sign a hash of the configuration file (which includes its public key that it can verify since it's being sent to the server). This signed digital hash is sent back to the client.

At startup, the hash is verified in two ways:

• That the signature is correct.
• That the hash corresponds to the config file.

I don't have any VB.Net code available now, but all the C# code can be found in C#3.0 in a Nutshell examples online.

Example code in C# Available under section The RSA class and followings

回答2:

I'm not sure how to determine if it's the best place, but the *.config file seems like a valid option.

回答3:

Since this is my area of expertise, let me jump in... It seems you are trying to create your own activation system starting from scratch. In the early days of using activation to protect software licenses a number of companies took the approach of developing their own systems without having deep expertise, and their ignorance of what it took to make a secure, user-friendly activation system gave activation a bad name. So, in the interests of helping you not have to painfully re-learn these lessons and irritate your customers, here are some of the things you need to think about:

• How will users activate their license if they don't have a network connection to the server, or their connection is blocked by a firewall?
• Presumably as part of the activation you are node-locking your application to some parameters of the user's system (otherwise they can just copy it and run it on any system they wish). How will you deal with someone who makes a minor upgrade to their system, causing a node-locking parameter to change? Note the MAC address is not a good choice for this, even though it is commonly used, as the ease with which the MAC address can be configured on some systems means MAC-address node-locking is insecure.
• A user's system crashes - how can they get their license running on another system? (and how can you know they are telling the truth about their system crash?)
• What if a user wants to move their license to another machine after a while, say from their desktop to their laptop. Can your system allow them to do this without it being a security hole or an annoying manual process requiring your support?
• How will you secure your licenses against key tampering, spoofing or tampering with the licensing code etc?
• From your post it seems you just want to enable the whole application for now. What if in future you want to activate time-limited trial or subscription licenses, configure product features or enable certain modules etc. Will your activation system support this or will you have to re-build it?

Just some things to think about.

来源：https://stackoverflow.com/questions/7192997/best-place-to-put-key-or-password-used-for-encryption