Announcement

Collapse
No announcement yet.

Encrypt data locallly to prevent tampering, but still software readable

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Encrypt data locallly to prevent tampering, but still software readable

    As I have stumbled around with this question for too long, I'm opening this up to the great brains of this forum.

    I have created a web application, that I have decided to lease so others can use it. My issue is how do I control the lease.

    There are two factors; first, the software is designed limiting the total number of items (members, products, etc) allowed, the monthly rate will determine how many are available and second, as this is a monthly lease so I need to be able to update or cut off amounts and features on an as-needed basis.

    One of my first ideas was to have the values stored in a database on their server encrypted, but I can't figure out how to have the software able to decrypt it every time a page gets loaded without just handing them the keys. In which case, why bother encrypting in the first place?

    I've also thought of a separate .mvc file that contains the values, but I don't think that is very secure either. It also doesn't allow me to cut them off should they stop paying unless I can force the software to download a new version every month. But that means I need to compile new files for every client every month.

    As I said up front, this is my own application so I can't use any of Miva Merchant's already built APis; this has to be home-brewed.

    So how does someone encrypt/encode data so that it is readable and alterable by the software, but cannot by direct access?

    Thanks,

    Scott

    #2
    Re: Encrypt data locallly to prevent tampering, but still software readable

    Scott,

    I think the only solution that will offer you control is to place those "keys" and limits on a remote server where you and only your can administer them. That will also give you the controls to disable or limit for none payment. This is the same concept basically as licensing. Assuming that this is a web based application, this would be fairly simple and a 7/mo account (with Miva Hosting for example) would handle the licensing system just fine.
    Bruce Golub
    Phosphor Media - "Your Success is our Business"

    Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
    phosphormedia.com

    Comment


      #3
      Re: Encrypt data locallly to prevent tampering, but still software readable

      Hi Bruce,

      Thanks for the reply. I thought about that, but figured that making a call to my server every time any page was loaded would be a very expensive way to go; both in money and validation overhead.

      Do you have any examples or documentation you can point me at regarding this? All my searches turned up too much off topic that I couldn't find a single good source.

      Thanks

      Comment


        #4
        Re: Encrypt data locallly to prevent tampering, but still software readable

        You don't have to do it every time its loaded. You could create a "license" database (that is encrypted) and just check every two weeks or so, or whatever interval works (that's what our license server does). As for the checking locally at every page load--that's overhead you'll have to take own. Really now way around it that I can see.
        Bruce Golub
        Phosphor Media - "Your Success is our Business"

        Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
        phosphormedia.com

        Comment


          #5
          Re: Encrypt data locallly to prevent tampering, but still software readable

          It's the license database that I'm having a hard time wrapping my head around.

          To me, the license is more than "Are you paid up?" If that was the case the yes, just checking every couple of weeks, either by the software calling me, or me pinging the software, would be fine.

          But I also need to store, "You are allowed to have a maximum of 10 users on this site, 2 admin, 3 categories in the forum...." That part needs to be always available...

          As I'm writing this, I think I have a solution.. I don't really need to encrypt that information, just make it tamper proof. For that, all I really need is a checksum. Just generate a formula that encodes all the bits of data so that if anything is changed, the checksum fails and the software stops.

          Part of the checksum can include license expiration date and last time the license was checked. So every two weeks, the checksum will change.

          Does this sound logical and do you see any gaps?

          Thanks

          Comment


            #6
            Re: Encrypt data locallly to prevent tampering, but still software readable

            Originally posted by Scott McCollough View Post
            Part of the checksum can include license expiration date and last time the license was checked. So every two weeks, the checksum will change.

            Does this sound logical and do you see any gaps?

            Thanks
            Nope, that's the basic idea of licensing...you are just expanding it to include other data. (If its just a 'match' its easy to pass around the 'key', you need to match the key to a one time event (what storing a checksum is bascially). You might through in a random base number just to make things fun.
            Bruce Golub
            Phosphor Media - "Your Success is our Business"

            Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
            phosphormedia.com

            Comment


              #7
              Re: Encrypt data locallly to prevent tampering, but still software readable

              So the next question is, since this would be setup for one domain only I want a check to make sure the software is only used on the correct domain. In other words, if I lease to www.mysite.com I want to be sure that it can only be run on www.mysite.com.

              Looking at various s. variables I get inconsistent results. Sometimes things are set,some times they are not. Some are set differently depending on how I access the site; whether or not I use IP address or DNS name kind of thing.

              Any suggestions?

              Comment


                #8
                Re: Encrypt data locallly to prevent tampering, but still software readable

                I think that s.documenturl always contains the exact URL that was used to access the page/script. So assuming the usual URL format, you could use
                Code:
                gettoken(s.documenturl, '/', 3)
                to retrieve the current domain.
                Kent Multer
                Magic Metal Productions
                http://TheMagicM.com
                * Web developer/designer
                * E-commerce and Miva
                * Author, The Official Miva Web Scripting Book -- available on-line:
                http://www.amazon.com/exec/obidos/IS...icmetalproducA

                Comment

                Working...
                X