Question

We re using XML Digital Signatures for signing and verifying our license keys. The signing works fine and has been running smoothly. The XML license file contains a few (plaintext) details about the license, along with a binary signature.

We d like to encode (I don t say encrypt) those plaintext details (license duration, user name, etc, etc.) so they re not immediately visible to prying eyes. Is there a standard (eg, base 64 or something else) that people use in this situation? It doesn t need to be secure or particularly clever, just enough to conceal the information in Notepad.

EDIT: We re using .NET/C#.

Thanks : )

Answer 1

Just use XOR. XOR is a good thing (when used right), used even in cryptographic algorithms such as RC4. By using XOR I mean taking some text string that will remain constant in your application, then XOR 1st byte of your file with 1st byte of that string, then xor 2nd byte of your file with 2nd byte of that string and so on. Then start from the beginning of the string. This is the way stream ciphers work. The string found in your code (in opposite to just some constant number) will make hacker s work a tiny bit more complicated.

Answer 2

A simple hex encoding would accomplish that. It is also easy to decode. If you mention which language or platform you are writing the code in, someone could make a more specific recommendation.

Answer 3

If you re simply looking to obfuscate the details, then I would think a Base64 or equivalent encoding mechanism would be fine.

I m not familiar with any sort of standard around exactly what you re trying to do, since most people would argue that what you re trying to do doesn t really achieve anything (since it falls within the realm of "security through obscurity").

Answer 4

As a user of license keys, I would recommend against this obfuscation. It is often very useful when auditing the license to determine the details you are referring to. If I can get them from the xml description, it can save as substantial amount of time. It also helps discover incorrectly deployed licenses. If I find a key issued to example.com instead of the organization I work for, I know we need to address the issue. If it is issued to ZXhhbXBsZS5jb20K (example.com in base64), do I will not think twice about it. I also have to deal with ensuring licences are renewed on time. When do I renew a license with an expiry of MjAxMC0wNi0wMQo=?

友情链接