Protecting commercial ruby code with public/private key encryption

J

John Wells

I was speaking with a co-worker today about the disappointment we feel
when we can't write commercial, distributable client-side code with Ruby
today...there's just no good way to protect your IP on the client side.

We came upon a simple(?) idea and I was hoping that the List might help u=
s
expand it and fill in some gaps:

Could one not modify the source of the Ruby interpreter to load a public
key and then only accept code encrypted with the equivalent private
version? Would this provide adequate protection, or does it only mean
that the hacker would have to download the interpreter and make the same
modifications, loading my public key into it, and programmatically to spi=
t
out the unencrypted code after it has passed through decryption? Is ther=
e
any way to make this sufficiently hard to do so to the point where any
reasonably complex application is protected? Similar to byte code
obfuscation?

Thanks for your insight.

John
 
F

Florian Groß

John said:
Could one not modify the source of the Ruby interpreter to load a public
key and then only accept code encrypted with the equivalent private
version? Would this provide adequate protection, or does it only mean
that the hacker would have to download the interpreter and make the same
modifications, loading my public key into it, and programmatically to spit
out the unencrypted code after it has passed through decryption? Is there
any way to make this sufficiently hard to do so to the point where any
reasonably complex application is protected? Similar to byte code
obfuscation?

If your computer can run it I can see it.

Microsoft is working on changing this. See
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

It's commonly considered a bad idea.

The only way of doing this securely is by running as much code as
possible on your server and having thin clients.

Obfuscation may be a short term solution, but it still won't protect
users from stealing, cracking or reverse engineering your code. (All
those can also be done with the machine code traditionally produced by
lower level languages like C.)

Note that software is still something falls under copyright. Using the
law to go against people stealing your applications is one way.

The better way is to open your source up and change to a support
business model or do something similar to MySQL.
 
R

Robert Oliver

------=_Part_7524_3322491.1124411855529
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=20
John Wells wrote:
=20
The better way is to open your source up and change to a support
business model or do something similar to MySQL.
=20
=20
=20
This is just not an option sometimes. There still is a large place for=20
closed software in the industry, and Ruby needs a Zend-like solution that=
=20
PHP developers enjoy to protect if that's needed.


--=20
Robert W. Oliver II
CEO / President - OCS Solutions, Inc.
http://www.ocssolutions.com/

Ruby / Ruby on Rails Discussion at http://www.rubyforums.com/

------=_Part_7524_3322491.1124411855529--
 
L

Lyndon Samson

------=_Part_5876_11134673.1124413074035
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Just like putting software logic into silicon, you could compile your=20
specific Ruby code to C and native compile it.=20

Disassembly is allways an option but fewer people have the skills for that.

------=_Part_5876_11134673.1124413074035--
 
F

Florian Groß

Robert said:
This is just not an option sometimes. There still is a large place for
closed software in the industry, and Ruby needs a Zend-like solution that
PHP developers enjoy to protect if that's needed.

I don't see why we would need to obfuscate source code on the server
side. Can you elaborate?
 
R

Robert Oliver

------=_Part_8249_6746895.1124428030227
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

With Zend, you can distribute your PHP scripts in an encoded fashion.=20
Modernbill and Kayako currently do this, as well as many other commercial=
=20
PHP scripts. They also include license limitations like IP restriction,=20
hostname restriction, etc.

=20
Robert Oliver wrote:
=20
=20
I don't see why we would need to obfuscate source code on the server
side. Can you elaborate?
=20
=20
=20


--=20
Robert W. Oliver II
CEO / President - OCS Solutions, Inc.
http://www.ocssolutions.com/

Ruby / Ruby on Rails Discussion at http://www.rubyforums.com/

------=_Part_8249_6746895.1124428030227--
 
J

John Wells

Derek Wyatt said:
If the code is encrypted, how are you going to decrypt it?

I think you have your key types mixed up. It's the public
key that can encrypt and the private key that can decrypt.

You're absolutely right...I did flub that in my description, didn't I? I
suppose the point here is question the viability of packaging a key (the
private key) in the ruby executable to allow decryption of code the
encrypted with the public key. Public/private is a little confusing in
this scenario, so I'd prefer a locking key and unlocking key. I would
still keep the public key private and secret, so it's truly not "public".

Now, how easy it would be to retrieve the unlocking key from the ruby
executable, I have no idea. I've been led to believe by Lothar's comment=
s
that it's possible to conceal it or the actual decryption point well
enough that anyone would have a very difficult or impossible time getting
at it, but that's possibly (probably?) naive.

Thanks,
John
 
J

Josh Charles

The mono project allows you to create machine executable code by
embedding the runtime intrepreter together with your code. Perhaps
something like that can be done with Ruby as well. I don't know how
difficult it is, but the algorithms are probably transferable from the
mono project.
 
S

Steven Jenkins

Randy said:
I'm not sure if you're talking about a specific type of encryption, but most
such codes can encrypt with either key and decrypt with either key.
Correct.

If I want to send a (secret) message to you, I can encrypt it with your public
key and you will be able to decrypt it with your private key.

Correct in principle. In practice, I encrypt the message using a
symmetric cipher, encrypt that key using your public key, and send both
ciphertexts. That way I can send a private message to multiple
recipients without having to encrypt the entire message multiple times.
If I want to send a message to everyone and "guarantee my signature" (i.e.,
sign it), I can encrypt it with my private key. If it can be decrypted with
my public key, it is (almost) a guarantee that I did originate the message.

Correct in principle. In practice, I encrypt a hash of the message in my
private key. You hash the message and check that your result matches the
one I sent. That way, a message can have multiple signers in any order.

Steve
 
D

dr

You can use Exerb (http://exerb.sourceforge.jp/index.en.html) fow
windows platfirm to distribute client side Ruby applications. The main
idea of Exerb, AFAIK, is to dump parsed syntax tree and store it inside
executable.
p.s. This will be wonderful if official Ruby interpreter can do same
thing by itself.
Python, BTW, can store compiled programs in *.pyc files, and load it
when original source file is not changed.
 
R

Randy Kramer

Correct in principle. In practice, I encrypt the message using a
symmetric cipher, encrypt that key using your public key, and send both
ciphertexts. That way I can send a private message to multiple
recipients without having to encrypt the entire message multiple times.

---< good stuff snipped >----

Thanks for the amplifications/corrections!

Randy Kramer
 
T

Tesla

John said:
I was speaking with a co-worker today about the disappointment we feel
when we can't write commercial, distributable client-side code with Ruby
today...there's just no good way to protect your IP on the client side.

We came upon a simple(?) idea and I was hoping that the List might help us
expand it and fill in some gaps:

Could one not modify the source of the Ruby interpreter to load a public
key and then only accept code encrypted with the equivalent private
version? Would this provide adequate protection, or does it only mean
that the hacker would have to download the interpreter and make the same
modifications, loading my public key into it, and programmatically to spit
out the unencrypted code after it has passed through decryption? Is there
any way to make this sufficiently hard to do so to the point where any
reasonably complex application is protected? Similar to byte code
obfuscation?

Thanks for your insight.

John
I use zend encoder now and again when I have a good idea and I don't
want to give up the recipe to just everyone.

Zend encoder works by doing a pre compile to byte code which makes it
illegible. It also spices up the deal by locking the code with a key
from the PC being used. Then when Zend optimizer sees the PHP code is
already precompiled its job becomes easier. So things speed up accordingly.

So to do this with Ruby would mean that a precompiler or optimizer would
have to be built first. Something that the server could run and
interprete the byte code. As of yet there is nothing like this for Ruby.
But it is being worked on I might guess.

Trying to do it otherwise is a pain in the butt. I have tried with PHP
and helped with a few obsfucation projects in PHP ASP and VB.
 
R

Richard Lyman

You can use Exerb (http://exerb.sourceforge.jp/index.en.html) fow
windows platfirm to distribute client side Ruby applications. The main
idea of Exerb, AFAIK, is to dump parsed syntax tree and store it inside
executable.
p.s. This will be wonderful if official Ruby interpreter can do same
thing by itself.
Python, BTW, can store compiled programs in *.pyc files, and load it
when original source file is not changed.
=20

(Unless it has changed recently) Please understand that if you open an
exerb generated exe file in a text editor you can scroll to a section
where your program is visible as plain text.

-Rich
 
N

nobody

(Unless it has changed recently) Please understand that if you open an
exerb generated exe file in a text editor you can scroll to a section
where your program is visible as plain text.

pack it with UPX?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top