DSA: What can a hacker do with *just* a public key?

kurige picture kurige · Oct 19, 2010 · Viewed 7.1k times · Source

The shareware registration system I'm currently developing embeds the public DSA key in the executable itself, and the private key resides on a server. (For the sake of discussion let's assume that the server is 100% secure, and there is no way for anybody to get their hands on the private key.)

Whenever the program is purchased, the server generates a license for the user by signing the user's name with the private key. That license is then emailed to the user. Once the user manually enters their name and license into the shareware application it is verified by the public key embedded in the application to be a valid or invalid license.

However, it would be fairly trivial for a determined person with the right "know-how" to disassemble the executable and retrieve the public key.

My question here is, what could they do with it? Is a public key, by itself, completely innocuous? Is the public key enough information to reverse engineer a key generator?

Curious minds want to know. Thanks in advance!

Answer

Michael Burr picture Michael Burr · Oct 19, 2010

The public key should get them nothing useful. However, if the check is easily found they might be able to simply circumvent it and patch in a test that always succeeds without ever bothering to verify the license against the public key.