Challenge-response Mechanism (Using VLS API)
Syntax
typedef struct {unsigned long ulReserved;
unsigned long ulChallengedSecret;
unsigned long ulChallengeSize;
unsigned char ChallengeData[30];
} CHALLENGE;
typedef CHALLENGE LS_CHALLENGE;
typedef struct {unsigned long ulResponseSize;
unsigned char ResponseData[16];
} CHALLENGERESPONSE;
Member | Description |
ulReserved |
LSAPI requires this to be set to 0. |
ulChallengedSecret |
The index of the secret which the client application wishes the License Manager to use in computing its response to this challenge. This value may range from 1 to the number of secrets provided. The actual secrets are provided to the License Manager through the license code produced using the code generator. |
ulChallengeSize |
Number of characters in ChallengeData. This value cannot be 0. |
ChallengeData |
The actual string that is used in challenging the License Manager. This is a string consisting of a maximum of 30 characters, each of which can take any value from the ASCII character set. |
ulResponseSize |
Number of characters in the response to the challenge. |
ResponseData |
The string of characters representing the actual response. |
Description
The challenge-response mechanism can be used by a licensed application to authenticate the License Manager.
In challenge-response, the License Manager associates a secret with a feature, provided by the license code. The application also contains this secret. In the License Manager validation process, an application will “challenge” the License Manager with a data string. The License Manager computes a response according to some previously arranged algorithm using the values, data and secret, which it returns. The client application locally computes the expected response using data and secret, and verifies that the expected response matches the response returned by the License Manager.
In order for the authentication mechanism to work correctly and securely, both the License Manager and the client application must use the same algorithm to compute the response given the values of data and secret. LSAPI requires the use of the software, “RSA Data Security, Inc. MD4 Message Digest Algorithm” provided by RSA Data Security, Inc. to compute the response.
In practice, to save execution time and space, the client application need not invoke the MD4 Message Digest Algorithm at run time to calculate the response. Challenge-response pairs can instead be maintained in a pre-computed table.
Sentinel RMS allows for the usage of multiple secrets, with secrets indexed starting at 1. Client applications can challenge the License Manager to produce a response for a string date using the secret[i], where i is the index of the secret (maximum is 7).
The following structures are used by the challenge parameter in challenge-response. challenge is an in/out parameter for the LSRequest and VLSrequestExt function calls and must be properly allocated and initialized by the calling process.
The parameter used to pass the challenge structure is also used by the library to return the response structure. The CHALLENGE pointer must therefore be typecast to CHALLENGERESPONSE * to obtain the correct response after the function call.
The response to a challenge made with any function call, for example, LSRequest is valid only if that function call returns LS_SUCCESS. If LS_SUCCESS is not returned, the response to the challenge is undefined.
For more information on how to associate secrets with a feature, see VLScgAllowSecrets in the License Generation API Guide.
See Also: