I have an application which will be used by various users, when user will start using the application it will generate one license file(encrypted) at the location where it is getting installed, and for each time application runs it will decrypt the file, will validate all parameters and update few of them according to the result of validation and will encrypt the updated file.
Here is one real problem giving pain, that every time the application runs it needs encryption keys(AES) to encrypt and decrypt, and the key is hard-coded within my .NET dll. so there is a possibility that user can extract the key and change the license parameters to run the application.
So my concern is how to protect the file from being tampered? Is there any way that i can put few of important license parameters some other location instead of keeping it in file? How to keep the encryption keys secure and safe from fraudulent activities? Application is in purely offline.
Kindly give me your valuable suggestion and insights.
Thanks in advance
Offline applications written in .net cannot be secured. You cannot reasonably "hide secrets" on someone elses machine. You need to provide a location that You control (i.e. a web service endpoint) to store these secrets. Every which way you look, at some point or other the user of your application has all your logic and all your data on their environment; you have given them the lock and the keys and are just hoping they dont have the persistence to open the lock with the key.
Alternatively, as suggested on another thread this week, you could code your file access logic and keys in VB6 and do an interop call to it - VB6 could be decompiled, but its tough. However someone could just pick up SysInternals and watch your file IO occuring and deduce which file or registry key your secrets are in. If its AES encrypted that will make it tough for them, but they will know which process is opening it ... so they now have a target for their efforts to decompile your code. It would be non-trivial to crack that, but I wouldn't call it secure either.
Only way to prevent a user accessing data on their own PC is to not put it on their PC.