i.e. To allow an unofficial software modification (which is too extensive to distribute as delta/patch files) to be distributed while ensuring the user owns the original software, it would be distributed in encrypted form - using the original software's file(s) as the key (or I guess a key derived from those files, assuming it is ensured that you cannot just use a pre-generated key from someone else).
8
- 4It’s technically possible to derive a key from software files, but this makes no sense. As you already pointed out yourself, this doesn’t prevent users from sharing the key. You need to hand out individual license codes and grant access to updates based on those codes (and any abuse detection mechanism you have in place). If it’s too late to implement proper license codes, then send individual access tokens to your users (e.g., embedded in a URL) which let them download the update from a server.Ja1024– Ja10242024-11-27 15:24:27 +00:00Commented Nov 27, 2024 at 15:24
- 1As I understand the question, Hiccup wants to release a game mod. They want to modify the game and redistribute it, but they don't want to get into trouble with the game company. So the game company is in control of the licensing, not Hiccup.Sjoerd– Sjoerd2024-11-28 09:21:44 +00:00Commented Nov 28, 2024 at 9:21
- Encrypting one file with (the hash of) another file is trivial. It doesn't solve your problem of unauthorized distribution of copyrighted material though (which is off topic here btw).Zac67– Zac672024-11-28 09:38:26 +00:00Commented Nov 28, 2024 at 9:38
- @Sjoerd: Then this is a legal question. And the term “unofficial” makes me think none of the OPs ideas have ever been discussed with the company, which means the OP is merely hoping that their odd approach will avoid legal trouble.Ja1024– Ja10242024-11-28 09:41:51 +00:00Commented Nov 28, 2024 at 9:41
- I'm voting to close this as off-topic. It's an imaginary solution to a legal problem that should be discussed with the copyright owner and/or a lawyer.Ja1024– Ja10242024-11-28 09:52:16 +00:00Commented Nov 28, 2024 at 9:52
| Show 3 more comments
1 Answer
The straightforward way is to derive a key from the old software. E.g. you compute the SHA256 of the old software and use that as an AES key to decrypt the new software. However, this makes it possible for attackers to share the value of the cryptographic hash and decrypt the new software using that.
Research is ongoing in the field of big-key symmetric encryption, which allows keys of several gigabytes. This could be a way to use the whole old software distribution as a key. However, there is currently no mainstream recommended method to do this.
Another possibility is to XOR the new software with the old software, like a one-time pad. This is not very secure, but could be sufficient depending on your requirements.
- 1We can come up with all kinds of technical ideas, but unless the copyright owner of the original software has actually agreed to any of this, it's completely pointless. Just because the OP thinks encrypting the modification based on the original software will get them out of legal trouble doesn't mean this is actually the case.Ja1024– Ja10242024-11-28 09:48:46 +00:00Commented Nov 28, 2024 at 9:48
- As you already said yourself, the right solution depends on the requirements. But the requirements are entirely unclear until the OP has solved the underlying legal problem.Ja1024– Ja10242024-11-28 11:16:57 +00:00Commented Nov 28, 2024 at 11:16
- Thanks. I think XOR may be sufficient actually. Although I wonder if there would be some benefit to encrypting the original software first with a random key (to be distributed with the XORd data), since that would prevent recovery of e.g. the 00 bytes? (not that those necessarily matter that much for this use case).Hiccup– Hiccup2024-11-28 14:33:08 +00:00Commented Nov 28, 2024 at 14:33