RSA, Big Primes.

[Sam Finch]

I'm interested in using a variant on RSA for security in distributing some files.


The files only run using a viewer program, and are purchased over the web.


The way I'm thinking of distributing is as follows.

The viewer is distributed on a CD, with each CD having a seperate serial Number.

When the user buys a file he sends me his serial number, I then encrypt the file with a weak encryption system such as random xor encryption, using his serial number as the key.

After that I encryptthe file using RSA, however, I keep the encryption key secret and publish the decryption key. (So I effectivley decrypt the file using RSA and let the user encrypt it to get the original file)



when the viewer runs the file The program, (hard coded on the CD so it can't be changed) decrypts the RSA and then daecrypts the weak encryption using the serial number as the key. (so if it's been encrypted using a different serial number the file will be garbage.

So, although the user can get hold of the decrypted file, they can't encrypt it for their viewer. And hence must buy the file if they want to use it.



Now you know all that I'm asking 3 questions.


1. Can anyone spot any weaknesses in the above system?

2. RSA involves 2 large prime numbers, p and q. we select q and q, then multiply together to get N. We then pick 2 numbers, e (the encryption key) and d (the decryption key) which multipy together such that e*d = ( (p-1)(q-1) ) +1. We publish N and (in this case) d. There is no way of working out e unless we know p and q, which are kept secret. The question is how large do I need to make p and q? I don't need world beating security, just enough to act as a good deterent. I don't think there's any real advantage in cracking it, you could just buy encrypted files, and re encrypt them, selling them off slightly cheaper than I do. So I need good enough security to make that unprofitable.


3. where can I get hold of large primes? I don't want to go in the main prime numbers websites, because then people will just look at the 100 most common primes got off the main websites, and they'll have cracked it in no time,


any help would be great.

[plenderj]

Take a look at the file enclosed.
Its a file I wrote to make maths stuff quicker to write.

You could try using the IsPrime function to help you find large primes. I dunno if it'll find very large primes tho.

[kedaman]

The weakness would be at software level. If someone buys the CD a hacker could easily modify it to work independent from the cd and the files that's been bought with that particular serial number could be distributed with the software.

[Guv]

Sam: I avoid buying copy protected software. I do not know how many others are like me.

I fit the profile of a buyer of software.

My two systems have over 100 applications installed, not all of which I currently use. I have paid for almost all of it. The exceptions being a few shareware applications I stopped using before I got around to paying for them.

Although I am fairly knowledgeable, I have problems with applications protected by passwords and other methods. I have heard some horror stories from friends on this subject. Many years ago, Lotus had a user hostile anti-piracy mechanism which caused all sorts of problems.

Due to the above, I avoid applications with copy protection. For example, I intend to hold off on Windows XP as long as I can. I hope I can avoid it forever. I never consider buying copy protected software if there is similar software available without anti-piracy features.

I have often wondered about the economics of copy protection. I have no opinion on how worthwhile it is for a software vendor.

If there are others like me out there, you might hurt yourself by trying to protect yourself from the pirates. It does not stop the knowledgeable hackers, but does stop the less savvy pirate. Who knows what the bottom line is on sales gained and sales lost?

There is some evidence that piracy results in some extra sales. After using a pirate copy, some users buy the real thing to get the documentation, or to get the newer version

The pirates friends I have would do without the software they pirate if they had to pay for it. Several of them have strange ethics about piracy. These pay for some software they could easily pirate, saying that they want it badly enough to pay for it. They pirate other software because they say they do not want it badly enough to pay for it.

I believe that published estimates on the loss of revenue from piracy are totally unreliable. They tend to use retail pricing in their estimates. They make no attempt to estimate how many actual sales are lost. Many of the individuals who use pirate copies would never pay for the software. They just would not own it if they could not steal it.

[Jenny W]

Originally posted by Sam Finch
I'm interested in using a variant on RSA for security in distributing some files.


3. where can I get hold of large primes? I don't want to go in the main prime numbers websites, because then people will just look at the 100 most common primes got off the main websites, and they'll have cracked it in no time,

Did you find a way of getting decent sized primes? I understand that they have to be 100 digits+ to be useful which seems to be a problem. Have you got any RSA source that can handle such big primes?

[wossname]

According to the Guinness book of records 1992, the largest known prime number was (391581 * 2^216193) - 1

Thats over 65000 digits long, is that big enough? lol!

[Jenny W]

Not a very secret prime is it if its in the GBR