Board index » delphi » RSA private/public question

RSA private/public question


2005-06-04 11:49:46 PM
delphi229
Hello,
I want to implement RSA public/key in my software to encrypt my registration
keys.
RSA says that the client must have the public key so he can encrypt
files/strings. My problem is that I need the opposite. Client must be able
only to decrypt a key and read info from that. I dont want clients be able
to generate keys.
So what Im doing here? Application must know the private key and I know the
public key? Can he use the private key to encrypt also? Im little confused.
Thanks
 
 

Re:RSA private/public question

Hi Nick,
Here are people much more expert than me, but I will tell you what I know,
hoping that it is correct :-).
First of all, what are really private and public keys?
A private key is used to decrypt a message sent using a public key.
That makes sense, because that way anyone can encrypt messages that
need a private key to be decrypted.
Now, what should I do if I want to let the others know that it was
really me to send a message? I can *sign* it with my private key.
That is, I use my private key to encrypt, so that anyone having my
public key can decrypt it.
The usefulness of this is that the only one to have my private key is
*me*, this means that *nobody else* could have sent the message,
given that the key is taken appropriate care of(i.e. put somewhere
inaccessible to enemy interested parties).
Thus, what *you* want to do is to *sign* your message, not making it
inaccessible to others, and you use a private key to sign.
Is it clearer now?
Cheers,
Andrew
 

Re:RSA private/public question

On Sat, 4 Jun 2005 18:49:46 +0300, "Nick Rollas"
<XXXX@XXXXX.COM>writes:
Quote
Hello,

I want to implement RSA public/key in my software to encrypt my registration
keys.
RSA says that the client must have the public key so he can encrypt
files/strings. My problem is that I need the opposite. Client must be able
only to decrypt a key and read info from that. I dont want clients be able
to generate keys.

So what Im doing here? Application must know the private key and I know the
public key? Can he use the private key to encrypt also? Im little confused.
You're misunderstanding the nature of the keys.
There are two keys. What one encrypts the other decrypts.
If you encrypt it with your private key they use the public key to
decrypt it.
Anything they encrypt with the public key can only be read by you with
your private key.
The usual use of public-key encryption is what it is named after--using
a publically-available key to encrypt stuff so only you can read it.
However, it works both ways.
It's just for an application like you are doing the more common use is
simply a digital signature.
 

Re:RSA private/public question

Nick Rollas writes:
Quote
I want to implement RSA public/key in my software to encrypt my registration
keys.
In addition to the implementation advice you have been given already, I
would like to stress that such registration schemes can be by-passed. I
have seen it happen a number of times.
The problem is that somewhere in your implementation of the registration
scheme you will get an if..then statement where you check the validity
of the registration entered by the user. This line is exactly what the
cracker will try to find. To crack your scheme the cracker will just
have to flip the conditional so that execution exits if the key is valid
and continues otherwise.
Consequently, you might use RSA to make it practically infeasible for
anyone to generate keys that will work with your *authentic* software,
but you can not possibly prevent people from generating keys that will
work with *cracked* versions of your software. Hence, your best bet
might be to give your users incentive to stay away from cracked versions
of your software, and one tool you might use for this is a spotless
reputation for producing malware free software combined with
instrumental use of MS Authenticode. Unfortunately, MS Authenticode
signatures are only checked in some circumstances, such as when you are
downloading and running ActiveX controls from within MSIE.
--
Henrick Hellström
www.streamsec.com