How secured is the .Net licensing component

[S.K. Dutta]

Hi!

We have a .Net based product where we have implented a
user based licensing using encryption, strong key and com
components (we wrote it in C++ to avoid the license code
being visible).

We are planing to move the implementation to the .Net
licensing component. I was wondering if anybody has any
experience with such an implementation as regards to
security of such an implemention.

The concern is that if the licensing code is implemented
using the manage code, the logic will be visible to
anybody who can disassemble using tools like ILDASM etc.

Thanks
Dutta S.K.

 

[Chris Jackson]

Any time that you store everything on the local machine, there is an
opportunity to read it. ILDASM doesn't introduce any capabilities that you
didn't have before, it just gives you more details. If you encrypt on the
local machine, then you have to be able to decrypt on the local machine, and
consequently the key must be stored on the local machine. If it is stored
there, then somebody can fetch it if they are determined enough.

What it boils down to is how much you need to tighten down your product.
Does it have a huge demand from unscrupulous people? For example, tons of
people will happily download Windows and crack it, so they have to implement
a hardware hash as well as a product key that is transmitted to servers that
they do have control over. However, at some point security is good enough,
and if you are selling a business component, then the demand from
unscrupulous folks might be comparatively low, and secure enough might be
adequate. You need to weigh the inconvenience to your customers and the
costs of implementation to determine how bulletproof you need this sucker to
be.

 

[LogicNP]

You must use a good obfuscator so that your .Net code cannot be viewed by programs like ILDASM or Reflector. The combination of CryptoLicensing for licensing your app and Crypto Obfuscator for obfuscating it should work well.