On Wed, Oct 03, 2007 at 11:11:26AM -0500, Md Lazreg wrote:
> On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
> > Is this DRM? DRM is not possible without
> > trusted hardware, and even then is difficult.
>
>
> Yes it is DRM in a way. I know it is not possible to have a 100% protection
> using only software. I am only looking to make it a little bit harder by
> "smartly" hiding the public key in the application.
>
If your users are not technically sophisticated, and the application is
aimed at paying business customers and not the general public, it is
enough to compile the key into the application. Businesses don't like
being caught stealing.
If or users are the general public and/or they are strongly motivated
to attack the application, then it is only a matter of time...
They can usually not only replace the public key, but also simply remove
the code that performs the signature checks, ...
There are companies selling something called "white-box-cryptography".
They have keyed self-obfuscating code, where it is difficult to analyze
the control flow of the application, and the encryption is built in
the structure of the binary rather than merely being data. Their target
market is DRM.
Perhaps you are looking for something like that. Don't recall any specific
names, but the term should get you started in the right direction. This
is not an endorsement of the security of their products, I don't know
enough to endorse or condemn them.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
