MMF Security Questions

[MelliGeorgiou]

Hi guys, I wonder if any of you guys can help me on this front.. (it's long - so I apologize from now!)

I'm designing an anti-piracy project using a server to hold the email and MAC addresses of 'paid' customers, and using authentication to connect to the server (using MOO, Blowfish and the String Parser object).

On the client side, I have created an object that creates a long phrase of about 50 characters when needed. This phrase consists of 8 strings, 2 reversed strings, and 8 integer values that are put together in a very long evaluation to create it (The phrase is ALWAYS the same when it is put together, but is never written in a put-together format - It is always evaluated).

The server side evaluates this phrase the same way. When sending messages to the server, I use String Parser to make the first element an encrypted version of the phrase, and then their email address and MAC Address is in the second and third element.

When it reaches the server, an expression that compares the (again) evaluated phrase with the decrypted first element sent is carried out to Authenticate where it came from.

If Authentication matches the phrase, their email address and MAC address are checked on the database, and if their details are found, the server sends back a message using the same Authentication process.

The client authenticates the phrase in the same way, and also receives an 'Accept' or 'Decline' message from the server. If the phrase doesn't match, it is an automatic 'Decline', and if there is no Internet connection, it is 'Declined' again also.

How secure is the above system, and how easy is it to open up an MMF-Created exe file and find useful information inside? This is why I never write/Store the phrase in a straight forward manner. It is ONLY put together when it needs to authenticate in an expression and not ever stored in its full-form.

I know this is a bit in-depth, but security is a big issue for me and I'd appreciate any suggestions.

Thanks a lot in advance!

-Mel

[James]

It isn't hard to find out what is done to the phrase... whatever can go wrong will go wrong.

[MelliGeorgiou]

hmm.. so what can I do? Any suggestions?

[joewski]

How secure is the above system, and how easy is it to open up an MMF-Created exe file and find useful information inside? This is why I never write/Store the phrase in a straight forward manner. It is ONLY put together when it needs to authenticate in an expression and not ever stored in its full-form.

-Mel

For anti piracy of software, I think that would be more than enough, although network cards have been know to be upgraded from time to time, which could cause grief on the users part

I suggest, you monitor the IP address and Mac addresses, and forget the email address and Mac address.

If your trying to stop piracy I would suggest using the Lua Object as well. Write your code so the server must send a piece of vital code to your application to run in LUA, if the code isn't there then the application can't run without it. Naturally encrypt it.

Remember many of the routines in an application can be hacked out and patched.

To help you more I really need to know more about the objectives of the application. Ie is the application perminently connected to the internet or is it only checking for updates.

[MelliGeorgiou]

Hi Joeski,

Thanks for the reply! Well, this is where things get a lot harder for me! LOL ...

I have one central application, which effectively just launches the others.

My original plan was to have some code in each of the smaller apps to keep tabs on the main app. If that app isn't running, then the they will automatically quit. But I'm now thinking of having the smaller apps saved inside the main app and somehow put them together with subapps, etc. Which for security reasons would be much better..

The central application is the app that talks to the server, I haven't even touched LUA to be honest.. So I don't really know what I'm doing on that front. But I'm not too scared to learn either!

I have yet to make a firm commitment if the app is going to be permanently connected to the net. It doesn't need to be connected to do what it does, I just assumed it would be more secure if I made it a requirement and the server was contacted every 5-10 minutes to maintain the connection. That may be pointless though, as Jam said, if they crack it, then it's gone..

Have I painted a better picture? lol