cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate license signatures in FlexNet Publisher

Certificate license signatures in FlexNet Publisher

Summary

Analysis of Certificate License signatures in FlexNet Publisher.

Question

What are the various requirements of the certificate signatures with different combinations of ENCRYPTION_SEEDx and LM_SEEDx settings?

Answer

This discussion was driven by (issues like) - 'Future support for SIGN2'

This information is intended to be shareable with customers. Configurations 6-8 in the table below are most relevant for customers asking about continued support of SIGN2.

Signature Configuration
#1
#2
#3
#4
#5
#6
#7
#8 (best practice)
#9 (second best practice)
ENCRYPTION_SEEDSSetSetSetNot setSetSetNot setNot setSet
LM_SEEDSNot setSetNot setSetNot SetSetSetSetSet
TRL_KEYS / CRO_KEYS (Pre 8.1)Not setNot setNot setNot setSetSetSetSetSet
LM_STRENGTHLICENSE_KEYLICENSE_KEYDEFAULTDEFAULT113/163/239BIT113/163/239BIT113/163/239BIT113/163/239BIT113/163/239BIT
Signature keywordNoneNoneSIGNSIGNSIGNSIGN and SIGN2SIGNSIGNSIGN and SIGN2
Signature typeBespoke symmetric
Bespoke symmetricBespoke symmetricBespoke symmetricTRL1SIGN: TRL1
SIGN2: TRL2
TRL2TRL2SIGN: TRL1
SIGN2: TRL2
Signature length (chars)12 or 2012 or 20121260/84/120

2 x 60/84/120

60/84/12060/84/1202 x 60/84/120
Client versionPre-8.18.1+7.1 - 8.18.1+7.1 - 8.18.1+8.1+10.8.6+10.8.6+
Library linkagelmgr.liblmgr.liblmgr.liblmgr.liblmgr.liblmgr.liblmgr.liblmgr_trl.liblmgr_trl.lib

Note:

  • TRL1 = ECDSA signature
  • TRL2 = Improved ECDSA signature
  • FNP docs refer to these TRL1 and TRL2 signatures when discussing SIGN2

Configuration 6 clients require licenses with the SIGN2 keyword: changing a served license file from configuration 6 to 7 or 8 would break these existing clients. Therefore, in order to move on from SIGN2, producers needs to retire or upgrade their SIGN2-based production client base. In light of this, Flexera will maintain SIGN2 support until further notice to maintain license-server backward compatibility with 'recent' SIGN2 clients. Please review FNP release notes for notifications of changes to this policy.

When producers update their clients, they should prefer configuration 8, which is the most secure and simplest license signature configuration. This will allow (eventual) retiring of SIGN2.

Note: The standard lmgr.lib allows verification of all signature types, whereas the recommended lmgr_trl.lib allows verification only of TRL signatures. There are multiple known cases of a binary patch in a configuration 6 client which cause it to allow verification of a legacy symmetric signature presented as SIGN and/or SIGN2 signatures in a rogue license file. Clients based on configurations 5 and 7 are vulnerable to a similar attack vector. The keys used in the old symmetric signatures are easily brute forced, allowing rogue license files like this to be widely generated. This is why Flexera strongly recommends configuration 8 (or 9), where clients can verify only a TRL signature.

Labels (1)
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Nov 14, 2018 10:24 PM
Updated by: