>>You'd need to check that the right key was used. If a way to tell whether the correct key was used was added to the library this would decrease the overall security of the library by making it succeptible to brute force attacks among other things (the library would have to embed the key in the ciphertext so it could check it and this would not be a good thing). If you don't know what the right key should be or what the resultant plaintext should be when decrypting the ciphertext then there is no way to know whether the key used is the right one.
>>
>>Perhaps you could explain a little more about what you are trying to do and why not having the ability to know whether the correct key was used is causing you a problem (or why you feel that such a feature would be useful to you)?
>>
>
>
>Thanks for the reply!
>
>Suppose I have an application to distribute to users. The application requires a license to be activated on it's initial run. The user may download the software upon purchase and they will receive an email attached the license encrypted by a key generated uniquely for the customer. Of course, it wouldn't be wise or logical to store that key within the application. Therefore if there were a way to know that the decrytion failed with the key provided, certain measures may be taken in such an event. In this scenario, I could warn the user that the key provided is incorrect. I was expecting an error, exception or for Decrypt function to return .f. if not decrypted correctly because CryptDecrypt function in AdvAPI32.DLL returns zero (FALSE) and sets last error.


You can use a challenge - response approach:

1) The user runs the app,
2) the application determines some unique feature of the machine like the Nic MAC or hard disk serial number or some such,
3) the application generates a unique challenge from this and possibly other information,
4) the challenge is sent to you,
5) you generate a unique response code based on the challenge,
6) the response code is given to the user,
7) the users application matches the response given to the challenge using the same algorithm,
8) the challenge and response are machine specific because of step 2
9) you can store the challenge and response in a table which you can optionally encrypt using a password in the application or even a password made from information gathered in step 2.