#1 2017-03-18 16:57:55

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 9,293
Website

Application Locking using Asymmetric Encryption

A common feature request for professional software is to prevent abuse of published applications. For licensing or security reasons, you may be requested to "lock" the execution of programs, maybe tools or services.

mORMot can use Asymmetric Cryptography to safely ensure that only allowed users could run some executables, optionally with dedicated settings, on a given computer.

The dddInfraApps.pas unit publishes the following ECCAuthorize function and type:

type
  TECCAuthorize = (eaSuccess, eaInvalidSecret, eaMissingUnlockFile,
    eaInvalidUnlockFile, eaInvalidJson);


function ECCAuthorize(aContent: TObject; aSecretDays: integer; const aSecretPass,
  aDPAPI, aDecryptSalt, aAppLockPublic64: RawUTF8; const aSearchFolder: TFileName = '';
  aSecretInfo: PECCCertificateSigned = nil; aLocalFile: PFileName = nil): TECCAuthorize;

This function will use several asymmetric key sets:
- A main key set, named e.g. applock.public and applock.private, shared for all users of the system;
- Several user-specific key sets, named e.g. userhost.public and userhost.secret, one for each user and associated computer host name.

When the ECCAuthorize function is executed, it will search for a local userhost.unlock file, named after the current logged user and the computer host name. Of course, the first time the application is launched for this user, there will be no such file. It will create two local userhost.public and userhost.secret files and return eaMissingUnlockFile.

This is the forum thread for this blog article.

Offline

#2 2017-03-18 20:45:18

werewolf
Member
Registered: 2017-03-18
Posts: 2

Re: Application Locking using Asymmetric Encryption

From cracker point of view, no matter how cryptic or heuristic protection algorithm is, the weakest thing here is ECCAuthorize function:
it may be simply* patched to return 0 (TECCAuthorize.eaSuccess)
* depends on other protection measures
If it is used as only protection it will fail the job on first cracker.
I share opinion that soft must be pleasant enought for user to pay for it
Of course if user have some spare money for this =)
From author point of view there must be harmony of protection level vs your soft "real" cost.

Offline

#3 2017-03-18 21:11:25

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 9,293
Website

Re: Application Locking using Asymmetric Encryption

The ECCAuthorize is just one part of the protection.
Above it, you build your own system.

The idea is that you supplied some needed information as aContent: TObject output, encrypted as JSON within the .unlock file.
If you let ECCAuthorize return 0, the system won't work. smile

The feature was setup on our side not for licensing reasons, but to reduce the spread of some internal tools, which give access to sensitive information on our servers.

Offline

#4 2017-03-18 21:40:35

werewolf
Member
Registered: 2017-03-18
Posts: 2

Re: Application Locking using Asymmetric Encryption

ab wrote:

The idea is that you supplied some needed information as aContent: TObject output, encrypted as JSON within the .unlock file.
If you let ECCAuthorize return 0, the system won't work. :)

Well, that changes everything: return 0 and {"godmode":"on"} in aContent =)
What is the difference with "strong" https request of the same content?

Offline

#5 2017-03-19 08:37:01

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 9,293
Website

Re: Application Locking using Asymmetric Encryption

It works offline, and certificate don't need to be installed on the client (if by string https you mean mutual authentication) -- which is a not obvious task under windows.

The main idea is also that the unlock file is tied to a given user and computer, with no reuse on another place.
With no compromise during the file exchange.

Offline

Board footer

Powered by FluxBB