One of the things we get in post-XP Windows is a new crypto library. This offers a number of small advantages such as being a lttle more "rational" from a usage standpoint (calls are somewhat more symmetric) but also some new crypto features such as longer keysize limits for some existing algorithms, elliptic curve cryptography (ECC), and some other goodies.
So here is a simple class CngRsaSign.cls that makes use of Cryptography API: Next Generation (CNG) for creating RSA key pairs and signing and verifying data blobs.
No formal "certificates" are required or used here.
Scope
I won't go into other issues here such as encrypting the data to be signed, or deriving and verifying "Machine ID" fingerprint values. Those have been covered elsewhere and people have lots of ideas about what makes a good machne ID.
I also haven't addressed things like what your Purchase Server and Product Registration Server might do. At a minimum a Purchase process might accept identifying info and payment and return a Product Key of some type. Then within your program or its installer you might have a Registration process that sends back the entered Product Key, some sort of Machine ID, etc. to your Registration Server which returns the signed license data file which your program records to disk.
However here the issue at hand is simply how to sign a blob of data (for example a software license file) so that your applications can validate it against tampering before trusting the values it contains.
Of course this could also be used to sign "messages" you send to people, with the signature being used to prove the message was from you and not tamepred with.
Requirements
Windows Vista or later. There is no redist version of the bcrypt.dll or its dependencies that can be deployed to a Windows XP or older system.
The VB6 development tools of course.
Simple Demo
The demo here just stores two values (Name and Email) in the data blob. These are just stored as "key=value" lines delimited by CRLF in UTF-16LE ("Unicode") text.
You could use UTF-8. You could use XML or JSON. You could use PropertyBag.Contents format. You could encrypt or obfuscate the blob.
Here we do none of that, we just sign it.
Caution
I am not a crypto expert so you will want to verify that nothing being done here weakens the potential advantages of signing such files.
Two Parts
The attachment contains the two-part demo.
The first is Sign.vbp, a simple VB6 program that can (1.) create a key pair which it writes to disk as two blob files, (2.) import the created Private key blob for use in signing data, and (3.) accept Name and Email and then compose the data blob, sign it, and write it to disk.
The second is Verify.vbp, a simple dummy VB6 application. This is even more trivial, and all it does is read the signed data from disk, verify the signature using the Public key blob, and then extract and display Name and Email.
![Name: sshot1.png
Views: 29
Size: 11.2 KB]()
We have created a key pair, now import the private key
![Name: sshot2.png
Views: 26
Size: 11.2 KB]()
We have entered the data, now we can create the signed file
Note that the dummy application has a copy of the Public key stored as a custom resource. After you have generated a new key pair, you must replace the existing Public key with your new one and recompile. Otherwise the next step will fail.
![Name: sshot3.png
Views: 24
Size: 10.2 KB]()
Now we've run the dummy application and
the signed data file has passed verification
Enhancements
For a purpose such as a key file you might be more comfortable concealing the payload, so as previously mentioned you might obfuscate or even encrypt it. But the aim here is just to show how to detect and reject a file that has been tampered with.
One thing you might want to do is create a second stripped down version of CngRsaSign.cls for use in applications. Typically you'd only need to be able to import a Public key and then verify the signature within deployed applications. You could also obfuscate the names of things to help throw anyone off who tries to decompile and patch your applications to bypass this check.
To Run The Demo
Download and unzip the attachment.
Open Sign.vbp and run it in the IDE or compile it and run the EXE. Create a new key pair. Import the Private key, enter the two items of data, and create the signed file.
Open Verify.vbp and edit the resource file: delete the existing Public key, create a new custom resource using your new Public key and of course set its ID and TYPE to match those used in the program. Then run it in the IDE or compile it and run the EXE.
That's it.
Updated attachment
Added a 3rd project Tamper.vbp that can be run to read the data field values, let you alter them, and store the signed file back to disk with alterations. If you run this and change anything then the Verify program should fail - even if you just change one letter, add one, or delete one.
Updated again
Removed some redundant definitions.
So here is a simple class CngRsaSign.cls that makes use of Cryptography API: Next Generation (CNG) for creating RSA key pairs and signing and verifying data blobs.
No formal "certificates" are required or used here.
Scope
I won't go into other issues here such as encrypting the data to be signed, or deriving and verifying "Machine ID" fingerprint values. Those have been covered elsewhere and people have lots of ideas about what makes a good machne ID.
I also haven't addressed things like what your Purchase Server and Product Registration Server might do. At a minimum a Purchase process might accept identifying info and payment and return a Product Key of some type. Then within your program or its installer you might have a Registration process that sends back the entered Product Key, some sort of Machine ID, etc. to your Registration Server which returns the signed license data file which your program records to disk.
However here the issue at hand is simply how to sign a blob of data (for example a software license file) so that your applications can validate it against tampering before trusting the values it contains.
Of course this could also be used to sign "messages" you send to people, with the signature being used to prove the message was from you and not tamepred with.
Requirements
Windows Vista or later. There is no redist version of the bcrypt.dll or its dependencies that can be deployed to a Windows XP or older system.
The VB6 development tools of course.
Simple Demo
The demo here just stores two values (Name and Email) in the data blob. These are just stored as "key=value" lines delimited by CRLF in UTF-16LE ("Unicode") text.
You could use UTF-8. You could use XML or JSON. You could use PropertyBag.Contents format. You could encrypt or obfuscate the blob.
Here we do none of that, we just sign it.
Caution
I am not a crypto expert so you will want to verify that nothing being done here weakens the potential advantages of signing such files.
Two Parts
The attachment contains the two-part demo.
The first is Sign.vbp, a simple VB6 program that can (1.) create a key pair which it writes to disk as two blob files, (2.) import the created Private key blob for use in signing data, and (3.) accept Name and Email and then compose the data blob, sign it, and write it to disk.
The second is Verify.vbp, a simple dummy VB6 application. This is even more trivial, and all it does is read the signed data from disk, verify the signature using the Public key blob, and then extract and display Name and Email.
We have created a key pair, now import the private key
We have entered the data, now we can create the signed file
Note that the dummy application has a copy of the Public key stored as a custom resource. After you have generated a new key pair, you must replace the existing Public key with your new one and recompile. Otherwise the next step will fail.
Now we've run the dummy application and
the signed data file has passed verification
Enhancements
For a purpose such as a key file you might be more comfortable concealing the payload, so as previously mentioned you might obfuscate or even encrypt it. But the aim here is just to show how to detect and reject a file that has been tampered with.
One thing you might want to do is create a second stripped down version of CngRsaSign.cls for use in applications. Typically you'd only need to be able to import a Public key and then verify the signature within deployed applications. You could also obfuscate the names of things to help throw anyone off who tries to decompile and patch your applications to bypass this check.
To Run The Demo
Download and unzip the attachment.
Open Sign.vbp and run it in the IDE or compile it and run the EXE. Create a new key pair. Import the Private key, enter the two items of data, and create the signed file.
Open Verify.vbp and edit the resource file: delete the existing Public key, create a new custom resource using your new Public key and of course set its ID and TYPE to match those used in the program. Then run it in the IDE or compile it and run the EXE.
That's it.
Updated attachment
Added a 3rd project Tamper.vbp that can be run to read the data field values, let you alter them, and store the signed file back to disk with alterations. If you run this and change anything then the Verify program should fail - even if you just change one letter, add one, or delete one.
Updated again
Removed some redundant definitions.