protecting/licensing C# application

[ptheate]

Hi,
I am going to release a C# desktop application to a customer.
I know this customer have friends interested in this application.
I would like to protect this application from being used by someone
else than my customer.
This application connects to a web service at startup using the
customer user name and password.
This user name is unique for this web service (by the way, this web
service is a third party commercial company, I have no control on it).
I thought using this user name for generating asymmetrical keys
(public + private).
When the user try to log in using his user name, the key is checked
and if the user name given doesn't match the user name used to
generate the key, the login failed.
Is it a good way to protect my application ?
How can I do it (I only know cryptography basics) ?
Thanks in advance,

Pierre.

P.S. I also use Dotfuscator Community Edition (free version) to
protect assemblies.

 

[ptheate]

What do you think about the following :
Write the user name hashed with a KeyedHashAlgorithm (I think about
HMACSHA512) and check for a match when user login.

 

[jp2msft]

That is the way to do it. Not sure what your "KeyedHashAlgorithm" is, but it
is probably very similar to a SHA password (you can look that up, because it
is very common).

Works like this

Client logs in with his ID and Password.

Password goes into SHA, SHA outputs LargeEncryptedString.

Your database stores ID and LargeEncryptedString - NOT your Client's
Password! You do not want to have your client's password, because that is
accepting a huge liability.

You take your Client's ID and compare that to SHA(txtPassword) =
LargeEncryptedString.

Yes, you have your Client's Password on the form, but do not make any
attempt to store it.

In this way, your Client can also pick as simple of a password as they want
(like "1", "A", or "Bert"). The password goes in, and out pops a large string
of scrambled numbers and letters that meets strict password requirements just
about anywhere.

FYI: If you use any websites that require you to enter a password with
uppercase and lowercase letters and numbers, you can be pretty certain that
they are storing your actual password in their databases and that anyone with
access to their databases has the ability to look up your password. How is
that for creepy?

FYI 2: Have you ever lost your password and click to have that fixed? If you
are given some kind of garbage password that means nothing or a link to reset
your password, that is good. Hopefully they are not storing your password.
However, if they email your password right back to you over the Internet, go
find someone else to do business with. Not only are they storing your
password in their databases, but they also just sent it out over the Internet
where it went through 5 or 6 different routers that store information.

Sorry for rambling, but I obviously have strong feelings about this.

 

[Marc Gravell]

You can make things even more interesting by salting with the username;
this also means that you can't find out if 2 users have the same
password simply by comparing the hash, since hashing the same password
with 2 different salts (i.e. 2 different usernames) produces very
different hashes. But you might want to normalize case first ;-p

 

[ptheate]

Thanks for your help.
I don't want to store the password, it is not recorded at all.
I want my software to run only if the user name given at the login is
the same as the one saved in a XML file for example (after hashing of
course).
I used KeyedHashAlgorithm (HMACSHA512) with a private key known only
by me to prevent the user from easily re-generate the hash (as he
obviously also have the user name ;-) ).
I still have a problem with this solution :
the private key is hard coded in the source code.

 

[LogicNP]

If the private key is hard-code in your source code, that's a very vulnerable back-door. You should use a public-private key pair based licensing scheme like CryptoLicensing (uses RSA).