- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Knowledge Base
- :
- Certificate license signatures in FlexNet Publisher
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Certificate license signatures in FlexNet Publisher
Certificate license signatures in FlexNet Publisher
Summary
Analysis of Certificate License signatures in FlexNet Publisher.Question
What are the various requirements of the certificate signatures with different combinations of ENCRYPTION_SEEDx and LM_SEEDx settings?Answer
This discussion was driven by (issues like) - 'Future support for SIGN2'
This information is intended to be shareable with customers. Configurations 6-8 in the table below are most relevant for customers asking about continued support of SIGN2.
Signature Configuration
|
#1
|
#2
|
#3
|
#4
|
#5
|
#6
|
#7
|
#8 (best practice)
|
#9 (second best practice)
|
---|---|---|---|---|---|---|---|---|---|
ENCRYPTION_SEEDS | Set | Set | Set | Not set | Set | Set | Not set | Not set | Set |
LM_SEEDS | Not set | Set | Not set | Set | Not Set | Set | Set | Set | Set |
TRL_KEYS / CRO_KEYS (Pre 8.1) | Not set | Not set | Not set | Not set | Set | Set | Set | Set | Set |
LM_STRENGTH | LICENSE_KEY | LICENSE_KEY | DEFAULT | DEFAULT | 113/163/239BIT | 113/163/239BIT | 113/163/239BIT | 113/163/239BIT | 113/163/239BIT |
Signature keyword | None | None | SIGN | SIGN | SIGN | SIGN and SIGN2 | SIGN | SIGN | SIGN and SIGN2 |
Signature type | Bespoke symmetric | Bespoke symmetric | Bespoke symmetric | Bespoke symmetric | TRL1 | SIGN: TRL1 SIGN2: TRL2 | TRL2 | TRL2 | SIGN: TRL1 SIGN2: TRL2 |
Signature length (chars) | 12 or 20 | 12 or 20 | 12 | 12 | 60/84/120 |
2 x 60/84/120 | 60/84/120 | 60/84/120 | 2 x 60/84/120 |
Client version | Pre-8.1 | 8.1+ | 7.1 - 8.1 | 8.1+ | 7.1 - 8.1 | 8.1+ | 8.1+ | 10.8.6+ | 10.8.6+ |
Library linkage | lmgr.lib | lmgr.lib | lmgr.lib | lmgr.lib | lmgr.lib | lmgr.lib | lmgr.lib | lmgr_trl.lib | lmgr_trl.lib |
Note:
- TRL1 = ECDSA signature
- TRL2 = Improved ECDSA signature
- FNP docs refer to these TRL1 and TRL2 signatures when discussing SIGN2
Configuration 6 clients require licenses with the SIGN2 keyword: changing a served license file from configuration 6 to 7 or 8 would break these existing clients. Therefore, in order to move on from SIGN2, producers needs to retire or upgrade their SIGN2-based production client base. In light of this, Flexera will maintain SIGN2 support until further notice to maintain license-server backward compatibility with 'recent' SIGN2 clients. Please review FNP release notes for notifications of changes to this policy.
When producers update their clients, they should prefer configuration 8, which is the most secure and simplest license signature configuration. This will allow (eventual) retiring of SIGN2.
Note: The standard lmgr.lib allows verification of all signature types, whereas the recommended lmgr_trl.lib allows verification only of TRL signatures. There are multiple known cases of a binary patch in a configuration 6 client which cause it to allow verification of a legacy symmetric signature presented as SIGN and/or SIGN2 signatures in a rogue license file. Clients based on configurations 5 and 7 are vulnerable to a similar attack vector. The keys used in the old symmetric signatures are easily brute forced, allowing rogue license files like this to be widely generated. This is why Flexera strongly recommends configuration 8 (or 9), where clients can verify only a TRL signature.