Reputation: 7088
Limiting access to features of web application based on the edition purchased
I have a ASP.NET MVC web application that is supposed to be sold in various editions with each edition unlocking more and more features of the application. Think something like editions of Visual Studio - Professional allows you to do X and Y, but with Premium, you can also do Z.
I am trying to enhance the application so that it would possible to reliably determine which edition was actually purchased. Or, in other words, to somehow store the information about the edition so that it is easily accessible by the application. I am not looking for any fancy protection mechanism, just something that would make cracking the app more complicated than rewriting some plaintext file :)
One way I could think of is to use public/private key pair. I generate a licence key carrying the edition payload, encrypt it with the private key, and send it to a customer. The customer then inputs the encrypted licence key, which gets stored somewhere, e.g. a database. The public key would be hard-coded to our webapp, so that the app can decrypt the licence key and decide whether to allow access to some feature or not.
This would probably work, but it somehow seems lame to have the public key hard-coded. Is there some alternative to the solution proposed above (perhaps I am trying to reinvent the wheel here)? Are there any glaring flaws with it?
Upvotes: 0
Views: 176
Answers (1)
Reputation: 94018
It is good that you are not trying to achieve perfect security, because you are trying to implement some kind of content protection scheme, and those are bound to fail without explicit support of the application environment (e.g. OS) - and they will mostly fail even then.
Normally you don't encrypt with a private key, you sign with a private key. You could send a public key with the application and verify within your application that the edition was signed for that particular public key.
There are a lot of ways to attack this scheme, and it can be enhanced by obscuring some more, but that's basically all you can do.
Upvotes: 1
Related Questions
- .Net Web Application Restrict access
- ASP.NET MVC3 Web application deployment and code encryption
- Licensing/Securing an asp .net web application
- MVC Authorize Attribute for Release Version only
- Make a ASP.NET MVC application really secure
- Asp.net solution Licensing
- Custom Security in ASP.NET MVC For Applications (Not mass market web sites)
- Encrypted a project in ASP.NET
- How to Protect program from using on the SERVER?
- Restricting Web Application usage when Licensing