Secure Licensing with Sentinel RMS
This section provides information about the security measures associated with Sentinel RMS.
Security | Used for | Applicable to v11–v17 Licenses | Applicable to v18 (and later) Licenses |
---|---|---|---|
RSA 2048 |
Signing licenses. See the section Enhanced License Security for details. |
x | a |
128-bit AES Algorithm | The industry-standard AES algorithm is used to encrypt the encrypted licenses and some sensitive information of readable licenses (such as the secret text and private vendor information). | a | a |
SHA-256 Cryptographic Hash Algorithm | The locking codes are of strength 64-bit hash based on SHA-256. | a | a |
Secure communication between the License Manager and client |
An industry-standard secret-key authenticated encryption is used to secure the RMS License Manager communication, by default. All messages are time-stamped to prevent attempts of replaying encrypted messages in response to license requests. Critical licensing information required by the License Manager is encrypted to the network licenses by a separate set of encryption algorithms. In addition, you can use the challenge-response mechanism to authenticate the License Manager. |
a | a |
Enhanced License Security (Version 18 Onward)
Since the Sentinel RMS 9.2 release, the licenses generated are digitally signed using RSA 2048 for greater security.
Each software vendor is assigned a unique public/private key pair for signing licenses. This key pair is generated and managed by Thales and is seamlessly integrated with the Sentinel RMS license generator (libraries and utilities). The key pair has a default version of 1, and is referred to as Signing Key Index. The Signing Key Index for the older version licenses (v17 and earlier) is considered as 0.
The process of license signing is automatically handled by the license generator. The licenses generated are signed by a software vendor-specific private key. The license signature is verified by the Sentinel License Manager at the time of license addition.
NOTE The short numeric licenses do not support RSA 2048 signing.
Restricting Consumption of v17 (and Earlier) Licenses
You can restrict the consumption of v17 (and earlier) licenses to support use of more secure v18 (and later) licenses using the following API:
>Unified API: Unified API restricts the license consumption to high security v18 licenses by default. So, if you want to allow use of less secure licenses (v17 and below) via Unified API, then use the attribute SNTL_ATTR_APPCONTEXT_MINIMUM_SIGNING_KEY_INDEX.
>Traditional VLS API: To support backward compatibility, the traditional VLS API allows consumption of all type of licenses by default. So, if you want to restrict use of only more secure licenses (v18 onward), then the API VLSsetMinimumSigningKeyIndex can be used.
See also: