Archived Forum Post

Index of archived forum posts

Question:

Should I hide the code string in my UnlockComponent call?

Nov 12 '12 at 08:50

Like most of you here I suppose, I have this code:

success = http.UnlockComponent("GEORGEQWA£AEQ£Q%A");
TRACE ("%s\n",http.lastErrorText());
if (success != true) {
    return;
}

(code changed for obvious reasons!)

Should I hide my unlock code in any way?


Answer

In the CkString C++ class, there are two methods: obfuscate and unobfuscate:

void obfuscate();

Obfuscates the string. (The unobfuscate method can be called to reverse the obfuscation to restore the original string.)

The Chilkat string obfuscation algorithm works by taking the utf-8 bytes of the string, base64 encoding it, and then scrambling the letters of the base64 encoded string. It is deterministic in that the same string will always obfuscate to the same result. It is not a secure way of encrypting a string. It is only meant to be a simple means of transforming a string into something unintelligible.

void unobfuscate();

This is the reverse of the obfuscate method.

You could use the obfuscate method separately to produce an obfuscated string, which can then be placed as a string literal in your application. Your app would then call unobfuscate, and then pass the unobfuscated string to UnlockComponent.

In any case, Chilkat would not invalidate your unlock code in a future version without notifying you first. In the 10+ years that Chilkat has been in business, no unlock codes have ever been invalidated for the reason you described. Unlock codes have been invalidated for other reasons, namely (1) unlock codes generated by non-Chilkat parties, or (2) unlock codes delivered to fraudulent orders.


Answer

I have never obfuscated those unlockcodes but you made me think (on a sunday morning).

If my unlockcode leaks on the internet and pirates start to use it Chilkat's only option is to blacklist my unlockcode for future builds, who can blame them. My programs will continue to work (because they use the "old" ck libraries), but when I do a new release I need to ask Chilkat for a new unlockcode.

I will add it to my "to do" list, I guess a trivial obfuscation is enough, something like strrev().

What is your opinion on this, Matt?