Discussion of article "Securing MQL5 code: Password Protection, Key Generators, Time-limits, Remote Licenses and Advanced EA License Key Encryption Techniques" - page 2

To add comments, please log in or register
Konstantin Vinokurov
285
Konstantin Vinokurov  
Peter Maxwell:

Sorry to be scathing but what was presented in the article is not security, it is obscurity.  Copy-protection is an exceedingly difficult problem, hence the efforts of the music/film industry with DRM and their repeated failures.

At best, the information here will waste some peoples' time; at worst you may have given the reader a false sense of security.  If they then decide to "protect" a product using your advice, they may be somewhat surprised when their consumer strips out the protection within a matter of hours and resells it for a fraction of the price.

An seriously - base64 encoding is not related to encryption.  Base64 encoding was designed to allow 8-bit data to be transmitted safely using protocols that consider data encoding to be 7-bit.  You can trivially reverse base64 encoding - and it is designed for that purpose!

The only solution I can see of securely distributing MQL5 software is either via the broker's limited power of attorney provisions, or installing an instance of MQL5 with the .ex5 files on a server somewhere and allowing the customer access using a thin client (so they cannot download the .ex5).  And yes, I've worked in information security for over 15 years, so have a fair idea of what I'm talking about. 

To be honest, I'm rather surprised that Metaquotes published the article.

Correct. Exactly this way.
davidyan982003
12
davidyan982003  

I have an idea. Suppose there is a web monitor that allways look through the web flow.

1. EA client call the web server for a sha.pub key which is generated by the server randomly.

2. EA send some data asking for authorization to the server with the pub key so the monitor can't know what the data is. And in the  data can contain some random key generated by the client. The monitor can't decrypt the data because of the sha key.

3. The server received the data and send authorization allowed infomation encrypted by the key client sent to it. The monitor maybe decrypt this information because it may know the pub sha key, but it doesn't know the client's key, so it is still useless.

In this way, the server can control the EA client's behavior.

12
To add comments, please log in or register