Licensing Addon Question

[Martin]

Hi,

according to the following blog post from 2011 https://www.blesta.com/2012/03/30/blesta-3-0-software-licensing/ it is how the licensing addon work. Ive been wondering and cant get around how the public key is stored safely.

Image the following Situation:

You write an application and encrypt it with Ioncube/Zend, then you have the Blesta API send you the public key and you store it in the database if the installation. Then the rest of the Licensing works as supposed.

Now someone comes to the idea and changes the public key saved in the database, he spoofs the Server and uses his own Private key to generate a signature. What would prevent this (except encryption of transmitted data by a password that is set in the product itself). I want to avoid storing encryption keys/passwords etc. in the software itself.

 

[Paul]

1 hour ago, Martin said:

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded.

If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key.

The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys.

The only protection is the secret that your proparbly share across all installations. 

The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.

All licensing can be circumvented. Replacing keys with your own keys is not simple, most people do not have the expertise to do that and to spoof a license server. And, none of that can be done without decoding the files first. Files must be decoded for that. (in the case of Blesta, the 3 license files) Reverse engineering the code for ANY software product allows for nulling the software. It's much easier to null it than to spoof a license server, so nobody is going to do that unless for research.

If you find a way to prevent piracy 100%, let me know privately and let's become billionaires together.

We have circumvented 2 of our competitors (one ryhmes with wimps and the other thinks they are an executive) without decoding. None of the techniques required to circumvent their licensing work on Blesta.. and once the code is reversed engineered, it's trivial to null - any software.

[Michael]

They would have to decrypt the files successfully and have the license manager themselves to spoof it if i'm correct, that or by decrypting just null it. Am i right @Paul @gosuhost

[Paul]

The license server has the private key, so the client (public key) can decrypt but not encrypt license data. This makes it difficult to spoof, as only the license server can sign messages, and there is no need to encrypt the public key, it's the public key. You can't simply spoof the license server and generate new keys because there is also a shared secret that is embedded in your code, that you would ideally encode before distribution.

[Martin]

Hi Paul, that means the only real protection is a secret in the code. Theoretically as a not so nice guy you could set up your own license server that generates the signature and data by simply changing the public/privatekey on both ends. Then spoof the Server to your own license server with your own private key.

The only thing preventing further spoofing is a shared secret implemented in the code of the application.

Am I correct?

[mrrsm]

On 11/7/2017 at 12:25 AM, Martin said:

The only thing preventing further spoofing is a shared secret implemented in the code of the application.

If you are using the module as is that is the only part that is really stopping you from using a different license server.  Once the public key is pulled/saved it becomes a bit harder to switch as well unless you are clearing the locally stored info.

[domaingood]

Can We are done with theme with automatic updater License key generation & checking possible via Licensing Addon

License key generation
Remote license activation
Remote license deactivation
Remote license checking
Automatic upgrade system for WP plugins and themes
License activation logs
Automatic license expiration
Automatic license renewal reminders
License upgrades system
Integrates with Recurring Payments for automatic license renewals
the license is locked to a single domain and folder.If the site is moved they will need to reissue the license.

[Martin]

On 7.11.2017 at 12:29 AM, Paul said:

The license server has the private key, so the client (public key) can decrypt but not encrypt license data. This makes it difficult to spoof, as only the license server can sign messages, and there is no need to encrypt the public key, it's the public key. You can't simply spoof the license server and generate new keys because there is also a shared secret that is embedded in your code, that you would ideally encode before distribution.

That would make the whole encryption Thing useless. You could simply encrypt by Password and still the only protection is the shared secret witch is statically encoded.

If you get to know this secret then your can easily generate your own pair of public and private key. Spoof the license server and use your own private key to generate the signature. Then you would just use your own public key.

The Private Public key encryption literally makes no sense at all as your can simply replace it with your own keys.

The only protection is the secret that your proparbly share across all installations. 

The only way signatures can be trustworthy verified is to not allow the user to change/replace the public key.