Validate WCF Service

I'd like to write a license management based on a wcf services.

How can I ensure that the (end)-user/"hacker" can not replace our license management services with a corrupt server?

Our license server is hosted on our server in the internet. When the server send corrupt data to the client the complete license mana开发者_JS百科gement concept is destroyed.

thank you

You are trying to solve something which cannot be solved. Once you provide application to the client and client deploys it on his computer he can of course do whatever he wants with your application. Even if you hardcode some security check into the application client can reverse engineer and modify your code. You can reduce his chances by using some obfuscation of your libraries but still anything deployed on client machine can be cheated. That is the reason why warez exists and there is no bullet proof solution.

If you don't want client to cheat you, build your application as web based and host it on your servers. Client will pay for access / account and he will not be able to avoid your licensing strategy.

If you want some high quality licensing strategy which is harder to cheat try to buy some existing solution instead of creating your own.

I think public-key cryptography might be an answer here. I'm not an expert in security so I might be really wrong, but as far as I can see it you may have public key for decryption hardcoded into your service consumer and private key for encryption on your license server. Then the workflow might be as follows:

1. Client generates some random message and sends to the server
2. Server encrypts this message and returns back encrypted result
3. Client tries to decrypt received message and if it matches original one then server is validated successfully.

Of course this may be done only assuming that you can guarantee that your service consumer app cannot be hacked, but otherwise I do not see any point hacking service anyway.