Encryption in TrackMySoftware
TrackMySoftware uses uncrackable public-key encryption: RSA 1024-bit with OAEP padding scheme.
The encryption is only available if you are using the function library (which is only available for Windows at present – other platforms to follow soon).
When you generate keys using the TMSKeyGen program it creates two fields: Encryption Keys and an Authorization Key.
This is NOT part of the public key encryption. It is a separate key which prevents other users of TrackMySoftware using their copy of the system to generate keys for your applications. It consists of a SHA256 hash of a random 32-byte binary key. This private 32-byte sequence is stored on your server as part of the Encryption Keys.
The Authorization Key can be freely distributed along with your applications. It doesn’t matter if it is known. It is used to verify the source of an encrypted license file.
The Encryption Keys consist of…
- your Private Key
- your Public Key
- the private part of the Authorization Key
…all together in one field.
When the system generates an encrypted license file to be saved on a local machine, it includes the Public Key as part of the file. This means that the Public Key doesn’t have to be specially distributed along with your applications.
The information in the license file can be decrypted using the public key included in the file, but it cannot be changed. A valid license file cannot be generated with the private key (which is kept safely in the database on your server).
The Authorization Key prevents other users of TrackMySoftware from generating a valid license file for someone else’s application using a different keypair. It verifies that the source of the license file is genuine.