cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KevinL33
Level 3

lmcrypt security

We ran into a situation recently where the tech who was tasked to create licenses left the company. Although we're not worried about that particular individual's ethics or morals, we can see that its a definite security issue. Someone could walk away with lmcrypt and have the ability to create licenses (illegally) forever.

How do others deal with this, I'm sure we're not the first to run into this dilemma.
0 Kudos
(6) Replies
Aparashar
Flexera Alumni

Hi KevinL33,

A lmcrypt executable, vendor daemon executable and lmgrd executable are the 3 most sensitive part of any publisher (/customer) who generates licensing.

So it becomes a publishers responsibility to insure their safety. And yes if lmcrypt is in the air, its a security issue and i am afraid that it can't be tracked down. (for example, create an uncounted license and use it forever)

Regards,
Abhay

Why is lmgrd.exe sensitive? Until very recently (as I recall), anyone could download the latest version, there should be nothing specific in that binary to your private key.
0 Kudos

I totally agree the reply with regard to lmgrd is confusing. 

The security within FLEXera depends upon your secret keys and those are obviously compiled into lmcrypt, your vendor daemon and your application.

Any "off the shelf" executables such as lmgrd and lmutil have no relationship to your secret keys at all. 

0 Kudos

A lmcrypt executable, merchant daemon executable and lmgrd executable are the 3 most touchy piece of any distributer (/client) who produces permitting.

So it turns into a distributers duty to protect their wellbeing. Also, yes if lmcrypt is noticeable all around, its a security issue and I am anxious about the possibility that that it can't be found. (for instance, make an uncounted permit and use it until the end of time), air blue


@PhilipMJones wrote:

I totally agree the reply with regard to lmgrd is confusing. 

The security within FLEXera depends upon your secret keys and those are obviously compiled into lmcrypt, your vendor daemon and your application.

Any "off the shelf" executables such as lmgrd and lmutil have no relationship to your secret keys at all. 


 

0 Kudos

It was a figure of speech, when i mentioned that vendor daemon, lmcrypt and lmgrd are 3 most important part of the licensing setup. Yes, lmgrd is an off the shelf executable and can be downloaded externally. As a rule of thumb, any executable being built at run time, (through makefile/makefile.act)becomes vendor specific and must be protected. lmutil and lmgrd are not built during toolkit built and hence are non daemon specific.
(If my response assists with your questions , then please click "ACCEPT AS SOLUTION" or 'Kudos' so that it help others.)

Hi

Maybe you  can  rebuild  the SDK by changing the seeds in lm_code.h.

rebuild lmcrypt and the application too.

oldest version of lmcrypt will not be compatible with new software.

Regards.

Gilles Noyer.

0 Kudos