Protecting commercial ruby code with public/private key encryption

Discussion in 'Ruby' started by John Wells, Aug 18, 2005.

  1. John Wells

    John Wells Guest

    I was speaking with a co-worker today about the disappointment we feel
    when we can't write commercial, distributable client-side code with Ruby
    today...there's just no good way to protect your IP on the client side.

    We came upon a simple(?) idea and I was hoping that the List might help u=
    s
    expand it and fill in some gaps:

    Could one not modify the source of the Ruby interpreter to load a public
    key and then only accept code encrypted with the equivalent private
    version? Would this provide adequate protection, or does it only mean
    that the hacker would have to download the interpreter and make the same
    modifications, loading my public key into it, and programmatically to spi=
    t
    out the unencrypted code after it has passed through decryption? Is ther=
    e
    any way to make this sufficiently hard to do so to the point where any
    reasonably complex application is protected? Similar to byte code
    obfuscation?

    Thanks for your insight.

    John
    John Wells, Aug 18, 2005
    #1
    1. Advertising

  2. John Wells wrote:

    > Could one not modify the source of the Ruby interpreter to load a public
    > key and then only accept code encrypted with the equivalent private
    > version? Would this provide adequate protection, or does it only mean
    > that the hacker would have to download the interpreter and make the same
    > modifications, loading my public key into it, and programmatically to spit
    > out the unencrypted code after it has passed through decryption? Is there
    > any way to make this sufficiently hard to do so to the point where any
    > reasonably complex application is protected? Similar to byte code
    > obfuscation?


    If your computer can run it I can see it.

    Microsoft is working on changing this. See
    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

    It's commonly considered a bad idea.

    The only way of doing this securely is by running as much code as
    possible on your server and having thin clients.

    Obfuscation may be a short term solution, but it still won't protect
    users from stealing, cracking or reverse engineering your code. (All
    those can also be done with the machine code traditionally produced by
    lower level languages like C.)

    Note that software is still something falls under copyright. Using the
    law to go against people stealing your applications is one way.

    The better way is to open your source up and change to a support
    business model or do something similar to MySQL.
    Florian Groß, Aug 18, 2005
    #2
    1. Advertising

  3. ------=_Part_7524_3322491.1124411855529
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    On 8/18/05, Florian Gro=DF <> wrote:
    >=20
    > John Wells wrote:
    >=20
    > The better way is to open your source up and change to a support
    > business model or do something similar to MySQL.
    >=20
    >=20
    >=20

    This is just not an option sometimes. There still is a large place for=20
    closed software in the industry, and Ruby needs a Zend-like solution that=
    =20
    PHP developers enjoy to protect if that's needed.


    --=20
    Robert W. Oliver II
    CEO / President - OCS Solutions, Inc.
    http://www.ocssolutions.com/

    Ruby / Ruby on Rails Discussion at http://www.rubyforums.com/

    ------=_Part_7524_3322491.1124411855529--
    Robert Oliver, Aug 19, 2005
    #3
  4. ------=_Part_5876_11134673.1124413074035
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    Just like putting software logic into silicon, you could compile your=20
    specific Ruby code to C and native compile it.=20

    Disassembly is allways an option but fewer people have the skills for that.

    ------=_Part_5876_11134673.1124413074035--
    Lyndon Samson, Aug 19, 2005
    #4
  5. Robert Oliver wrote:

    > This is just not an option sometimes. There still is a large place for
    > closed software in the industry, and Ruby needs a Zend-like solution that
    > PHP developers enjoy to protect if that's needed.


    I don't see why we would need to obfuscate source code on the server
    side. Can you elaborate?
    Florian Groß, Aug 19, 2005
    #5
  6. ------=_Part_8249_6746895.1124428030227
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    With Zend, you can distribute your PHP scripts in an encoded fashion.=20
    Modernbill and Kayako currently do this, as well as many other commercial=
    =20
    PHP scripts. They also include license limitations like IP restriction,=20
    hostname restriction, etc.

    On 8/18/05, Florian Gro=DF <> wrote:
    >=20
    > Robert Oliver wrote:
    >=20
    > > This is just not an option sometimes. There still is a large place for
    > > closed software in the industry, and Ruby needs a Zend-like solution=20

    > that
    > > PHP developers enjoy to protect if that's needed.

    >=20
    > I don't see why we would need to obfuscate source code on the server
    > side. Can you elaborate?
    >=20
    >=20
    >=20



    --=20
    Robert W. Oliver II
    CEO / President - OCS Solutions, Inc.
    http://www.ocssolutions.com/

    Ruby / Ruby on Rails Discussion at http://www.rubyforums.com/

    ------=_Part_8249_6746895.1124428030227--
    Robert Oliver, Aug 19, 2005
    #6
  7. John Wells

    John Wells Guest

    Re: Protecting commercial ruby code with public/private keyencryption

    Derek Wyatt said:
    > If the code is encrypted, how are you going to decrypt it?
    >
    > I think you have your key types mixed up. It's the public
    > key that can encrypt and the private key that can decrypt.


    You're absolutely right...I did flub that in my description, didn't I? I
    suppose the point here is question the viability of packaging a key (the
    private key) in the ruby executable to allow decryption of code the
    encrypted with the public key. Public/private is a little confusing in
    this scenario, so I'd prefer a locking key and unlocking key. I would
    still keep the public key private and secret, so it's truly not "public".

    Now, how easy it would be to retrieve the unlocking key from the ruby
    executable, I have no idea. I've been led to believe by Lothar's comment=
    s
    that it's possible to conceal it or the actual decryption point well
    enough that anyone would have a very difficult or impossible time getting
    at it, but that's possibly (probably?) naive.

    Thanks,
    John
    John Wells, Aug 19, 2005
    #7
  8. John Wells

    Josh Charles Guest

    The mono project allows you to create machine executable code by
    embedding the runtime intrepreter together with your code. Perhaps
    something like that can be done with Ruby as well. I don't know how
    difficult it is, but the algorithms are probably transferable from the
    mono project.

    On 8/19/05, John Wells <> wrote:
    > Derek Wyatt said:
    > > If the code is encrypted, how are you going to decrypt it?
    > >
    > > I think you have your key types mixed up. It's the public
    > > key that can encrypt and the private key that can decrypt.

    >=20
    > You're absolutely right...I did flub that in my description, didn't I? I
    > suppose the point here is question the viability of packaging a key (the
    > private key) in the ruby executable to allow decryption of code the
    > encrypted with the public key. Public/private is a little confusing in
    > this scenario, so I'd prefer a locking key and unlocking key. I would
    > still keep the public key private and secret, so it's truly not "public".
    >=20
    > Now, how easy it would be to retrieve the unlocking key from the ruby
    > executable, I have no idea. I've been led to believe by Lothar's comment=

    s
    > that it's possible to conceal it or the actual decryption point well
    > enough that anyone would have a very difficult or impossible time getting
    > at it, but that's possibly (probably?) naive.
    >=20
    > Thanks,
    > John
    >=20
    >=20
    >
    Josh Charles, Aug 19, 2005
    #8
  9. Randy Kramer wrote:
    > I'm not sure if you're talking about a specific type of encryption, but most
    > such codes can encrypt with either key and decrypt with either key.


    Correct.

    > If I want to send a (secret) message to you, I can encrypt it with your public
    > key and you will be able to decrypt it with your private key.


    Correct in principle. In practice, I encrypt the message using a
    symmetric cipher, encrypt that key using your public key, and send both
    ciphertexts. That way I can send a private message to multiple
    recipients without having to encrypt the entire message multiple times.

    > If I want to send a message to everyone and "guarantee my signature" (i.e.,
    > sign it), I can encrypt it with my private key. If it can be decrypted with
    > my public key, it is (almost) a guarantee that I did originate the message.


    Correct in principle. In practice, I encrypt a hash of the message in my
    private key. You hash the message and check that your result matches the
    one I sent. That way, a message can have multiple signers in any order.

    Steve
    Steven Jenkins, Aug 20, 2005
    #9
  10. John Wells

    dr Guest

    You can use Exerb (http://exerb.sourceforge.jp/index.en.html) fow
    windows platfirm to distribute client side Ruby applications. The main
    idea of Exerb, AFAIK, is to dump parsed syntax tree and store it inside
    executable.
    p.s. This will be wonderful if official Ruby interpreter can do same
    thing by itself.
    Python, BTW, can store compiled programs in *.pyc files, and load it
    when original source file is not changed.
    dr, Aug 20, 2005
    #10
  11. John Wells

    Randy Kramer Guest

    On Friday 19 August 2005 09:44 pm, Steven Jenkins wrote:
    > Correct in principle. In practice, I encrypt the message using a
    > symmetric cipher, encrypt that key using your public key, and send both
    > ciphertexts. That way I can send a private message to multiple
    > recipients without having to encrypt the entire message multiple times.


    ---< good stuff snipped >----

    Thanks for the amplifications/corrections!

    Randy Kramer
    Randy Kramer, Aug 20, 2005
    #11
  12. John Wells

    Tesla Guest

    John Wells wrote:
    > I was speaking with a co-worker today about the disappointment we feel
    > when we can't write commercial, distributable client-side code with Ruby
    > today...there's just no good way to protect your IP on the client side.
    >
    > We came upon a simple(?) idea and I was hoping that the List might help us
    > expand it and fill in some gaps:
    >
    > Could one not modify the source of the Ruby interpreter to load a public
    > key and then only accept code encrypted with the equivalent private
    > version? Would this provide adequate protection, or does it only mean
    > that the hacker would have to download the interpreter and make the same
    > modifications, loading my public key into it, and programmatically to spit
    > out the unencrypted code after it has passed through decryption? Is there
    > any way to make this sufficiently hard to do so to the point where any
    > reasonably complex application is protected? Similar to byte code
    > obfuscation?
    >
    > Thanks for your insight.
    >
    > John
    >
    >
    >
    >
    >
    >

    I use zend encoder now and again when I have a good idea and I don't
    want to give up the recipe to just everyone.

    Zend encoder works by doing a pre compile to byte code which makes it
    illegible. It also spices up the deal by locking the code with a key
    from the PC being used. Then when Zend optimizer sees the PHP code is
    already precompiled its job becomes easier. So things speed up accordingly.

    So to do this with Ruby would mean that a precompiler or optimizer would
    have to be built first. Something that the server could run and
    interprete the byte code. As of yet there is nothing like this for Ruby.
    But it is being worked on I might guess.

    Trying to do it otherwise is a pain in the butt. I have tried with PHP
    and helped with a few obsfucation projects in PHP ASP and VB.

    --


    Tesla - Alternating current, the first modern day opensource project?
    Tesla, Aug 20, 2005
    #12
  13. On 8/20/05, dr <> wrote:
    > You can use Exerb (http://exerb.sourceforge.jp/index.en.html) fow
    > windows platfirm to distribute client side Ruby applications. The main
    > idea of Exerb, AFAIK, is to dump parsed syntax tree and store it inside
    > executable.
    > p.s. This will be wonderful if official Ruby interpreter can do same
    > thing by itself.
    > Python, BTW, can store compiled programs in *.pyc files, and load it
    > when original source file is not changed.
    >=20


    (Unless it has changed recently) Please understand that if you open an
    exerb generated exe file in a text editor you can scroll to a section
    where your program is visible as plain text.

    -Rich
    Richard Lyman, Aug 20, 2005
    #13
  14. John Wells

    nobody Guest

    > (Unless it has changed recently) Please understand that if you open an
    > exerb generated exe file in a text editor you can scroll to a section
    > where your program is visible as plain text.


    pack it with UPX?
    nobody, Aug 27, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charles A. Lackman
    Replies:
    1
    Views:
    1,325
    smith
    Dec 8, 2004
  2. SpamProof
    Replies:
    0
    Views:
    531
    SpamProof
    Oct 21, 2003
  3. qazmlp
    Replies:
    19
    Views:
    777
    Daniel T.
    Feb 4, 2004
  4. DaveLessnau
    Replies:
    3
    Views:
    414
    Howard
    May 16, 2005
  5. Douglas S. J. De Couto

    OpenSSL for public/private key encryption

    Douglas S. J. De Couto, Mar 21, 2006, in forum: Ruby
    Replies:
    2
    Views:
    86
    Douglas S. J. De Couto
    Mar 21, 2006
Loading...

Share This Page