To: "hemma prafullchandra" <Hemma.Prafullchandra@Eng>,
Message-Id: <029101bda4ed$e79ccfa0$46265c87@atlantis.hr-firewalls.lucent.com>
From: "Jatinder Bali" <jbali@lucent.com>
Subject: Re: Clients and certificates ... (Fwd)
Date: Wed, 1 Jul 1998 08:43:53 -0400
Hi Hemma,
I dont think that you understood my question correctly. Let me restate it.
I want to use Java as a "licensing protection mechanism". What I mean by
this is that I want to write java code that checks a "license file" written
by me and signed by me (nobody modified it) and check if the license expired
ot not. And I should be able to other stuff with the license file like
checking for strong encryption versus weak encryption, etc.
I dont think it is a matter of getting certificates signed by a trusted
third party. It does not help as the end user can simply decompile and
bypass the whole mechanism of checking for license violation, etc.
>> you've not taken adequate measures in your
>> design to make this a non-issue. As you say, "Obfuscation helps but there
>> are a lot of smart guys who can modify it in minutes." How about shipping
>> your application signed and then only allowing access if it verifies and
>> your authentic cert. is in the JVM store ?
I dont think I understand this. How can I take adequate measures here. I am
shipping my application signed and I want to allow access to it only if it
verifies but I need it to be in Java which brings me back to the original
trick of decompilation and bypassing the code. And since I am using the
certificate mechanism built in JDK I need to write code in Java. I am not
sure how difficult to write this in C and calling Java from there. Has
anybody tried it.
I am not sure but I am comming to the conclusion that Java certificates are
a mechanism for the end user to keep himself protected but it does not
protect the provider from change of code that he shipped to the end user.
I would appreciate any help.
Thanks in advance,
Jatinder
-----Original Message-----
From: hemma prafullchandra <Hemma.Prafullchandra@Eng.Sun.COM>
To: jbali@lucent.com <jbali@lucent.com>
Date: Tuesday, June 30, 1998 9:40 PM
Subject: Re: Clients and certificates ... (Fwd)
>
>Hi,
>
>> --> I have a basic question on signatures in 1.1.
>> -->
>> --> How do I protect clients from modifying license files signed by me. I
>need > access to these files so that I can verify when it expires, etc ...
>and I also > need a way to verify the signature on these files. Since my
>program is 100% java
>> they can easily decompile it, change the public key, generate a new
>signature > and hence modify the license file to whatever they please or
>simple bypass the > code that checks the signatures.
>> -->
>> That is why you have certificates signed by trusted third parties.
>> If you use self-signed certs then you'd have to make sure that the
>> copy you base your access control decisions on are authentic.
>> (You don't rely on the one sent in the signed object but the one
>> you have in your local "trust" store that you got by other means
>> and cannot be modified without detection).
>>
>> If however clients circumvent your licensing by
decompilation/modification
>> of your client side code then you've not taken adequate measures in your
>> design to make this a non-issue. As you say, "Obfuscation helps but there
>> are a lot of smart guys who can modify it in minutes." How about shipping
>> your application signed and then only allowing access if it verifies and
>> your authentic cert. is in the JVM store ? Alot more deployment hassle
>> but there's not much that can done about java decompilation other than
>> the regular business laws to protect you.
>>
>> Hemma
>
>
>