4

A software (written in Java) by a vendor uses DSA signature to verify that the license information is correct.

It achieves this by embedding the public key in the same Java software.

Legit license information is generated, and then signed with the private key, and is saved to a file, which can be verified by the public key.

Along comes a hacker, who generates his own private/public key pair, and changes the embedded public key in the Java software to his own. He then generates a license file with his own private key.

How can this scenario be circumvented? That is, what measures can the vendor take in order to prevent the hacker from doing the above?

Thank you.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
chuacw
  • 175
  • 10

1 Answers1

10

Not much, really.
When the attacker has access to the code, he can modify it to his heart's contents.
You can make it more difficult, by using code obfuscation for example. But you cannot render it impossible.

You could make the code connect to a server via the internet to verify it's integrity, but the attacker could re-engineer the code to call on his own server, too. (And it will hinder any legitimate users whose connections are down...).

So you have to prevent the attacker from having access to the code.
Assuming your user has a reliable internet connection, this could be done by offering your code as a service (SaaS).

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
  • 3
    Not to mention the fact that the more difficult it is, the greater the challenge. And we hackers do love a good challenge ;) – Polynomial May 28 '12 at 09:23