Application Security Testing: An Integral Part of DevOps
A popular method of product validation is using keys similar to VJJJBX-H2BBCC-68CF7F-2BXD4R-3XP7FB-JDVQBC. These compact keys can be derived using Symmetric Key Cryptosystems such as the Advanced Encryption Standard (AES).
This article will use AES (specified in FIPS 197) as the Cryptosystem, and Wei Dai's Crypto++ for AES operations. AES will produce compact keys with the additional benefit that the cryptosystem is not burdened with patent compliance. However, should a binary fall to Reverse Engineering, the key will become compromised (note that AES is a Symmetric Cipher - not an Asymmetric Cipher which has Public and Private keys).
The reader is also encouraged to investigate Signature Schemes (with Recovery) as an alternative method to producing Product Keys. An example is PSS-R, a Message Recovery Signature Scheme based on RSA. PSS-R is proposed in ANSI X9.31 (reopened by the ANSI X9F working group) and IEEE 1363. The reader should also visit Product Keys Based on Elliptic Curve Cryptography to familiarize themselves with basic concepts of Product Keys in the domain of Public Key Cryptography.
This article will discuss the following topics:
- Advanced Encryption Standard
- Compiling and Integrating Crypto++ into the Visual C++ Environment
- AES Implementation in Crypto++
- Base Encoding a Cipher Text String in Crypto++
- Bulk Product Key Generation
- Product Key Validation
This article is based on the Visual C++ 6.0 Environment in hopes that it reaches the largest audience.
Advanced Encryption Standard
Currently, there are three FIPS-approved symmetric encryption algorithms: AES, Triple DES, and Skipjack. The article presented uses AES or the Advanced Encryption Standard in CBC Mode. Note that DES (FIPS 46-3) was withdrawn in May 2005, and is no longer approved for Federal use.
AES (or Rijndeal - pronounced "Rhine dahl") is the work of Joan Daemen and Vincent Rijmen - hence the portmanteau Rijndael. AES is a 128 bit block cipher that accepts key lengths of 128, 192, and 256 bits. The required number of rounds (i.e., linear and non-linear transformations), depend on the key size. Below are the FIPS 197 conformant Key-Block-Round combinations.
Taking from FIPS 197:
For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is composed of four different byte-oriented transformations: 1) byte substitution using a substitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing the data within each column of the State array, and 4) adding a Round Key to the State. These transformations (and their inverses) are described in Sections 5.1.1-5.1.4 and 5.3.1-5.3.4.
Compiling and Integrating Crypto++ into the Microsoft Visual C++ Environment
Please see the related article, Compiling and Integrating Crypto++ into the Microsoft Visual C++ Environment. This article is based upon basic assumptions presented in the previously mentioned article. It also addresses most problems encountered with projects from Command Line to MFC (Errors C1083, C1189, LNK1104, LNK2001, and LNK2005). Additionally, it provides some tips and other nicities for using the Crypto++ Library.