Basically, you're going to have a tradeoff between security and usability. You can reduce the signature length by reducing the security level, but then it becomes possible to forge the signatures by brute force.
Now, the bad news is that, unfortunately, an ECDSA signature with a non-trivial security level is still pretty long for a license key. You can also use the same scheme for product activation keys in this case, the data you'd be signing wouldn't be just a serial number, but some kind of digest string identifying the user and possibly some features of the system they're installing the software on. When the number is entered by the user, the software checks that the signature is valid using its public key. Your serial key will consist of a simple serial number, plus a signature of that number using the private key. What you need is an elliptic curve digital signature scheme, such as ECDSA.īasically, your key generation server will hold the private half of the keypair, while the software you distribute will contain the public half. What is the correct way to do this? Do I miss the correct scheme for this? It can't be ECDSA, it can't be ECIES. And the keys they show in the screenshot are very short: For 128 Bit keys only around 30 characters. What I am really looking for is a solution similar to where they use the right concept: The private key to generate the serial and the public key to verify them. But this results in a large serial number.
The next idea would be to just encode the information arbitrarily and append a signature based on ECDSA to it.
However, knowing the domain parameters and the private key, it is easy to derive the public key for ECIES, right? The public key is used to encrypt (generate the serial) whereas the private key is in the application and used to decrypt. However, I see no benifit in this: They choose domain parameters which needs to be known by the app and the creator. Therefore I want to build something similar on my own. However, this is based on RSA resulting in large numbers. The initial idea is from where they can create serials where information is encrypted. What I want to do is to encode information in the serial which can be publicly verified but only created by me. I want to (or created) serial keys based on elliptic key cryptography.
0 kommentar(er)
