my goal protect licence information of software product. client uses platform should not able alter it, should not able crack it.
let me provide context specific solution: in order platform work, must connect rest api in order licence. platform make these requests periodically check if there changes in licence. requested licence cached, somewhere in platform's database.
things have considered:
- encrypting licence in client database: because platform needs use parameters held licence, don't see how encryption can achieved without exposing private key platform. way see it, if expose private key platform, malicious user can use alter he's licence.
- signing data: way of looking @ it, sign data, , if changes data, can take appropriate actions. since can create signature using private key, , use signature , public key on client platform compare it, not expose private key. problem see here can override key pair own, meaning can create dummy server signs document own private key , use own public key check signature. having intelligent key management system nullify threat?
i know in normal use case, it's in clients best interest protect platform, because of nature of platform, have assume client platform hostile environment.
how solve problem? there obvious solution missing?
Comments
Post a Comment