Security
This page outlines the security measures implemented by MC License.
MC License implements multiple layers of security to protect license validation and prevent unauthorized usage. Our library handles this automatically, but it’s important to understand these security measures when implementing custom solutions or troubleshooting issues.
To set the scene, when your plugin starts on a user’s server, it’ll send a request to the MC License validation API. Below is an example response:
RSA Signature Verification
Every response from our API is cryptographically signed using RSA, a robust asymmetric encryption algorithm. This signature is used to verify the authenticity of the response and ensure that it hasn’t been tampered with.
Here’s how it works:
- Our server signs the response data using a private key that only we possess
- Your plugin verifies the signature using our public key
- If the response data has been tampered with, the signature verification will fail.
If someone tries to:
- Modify any field in the response
- Forge a response with a different signature
- Reuse an old signature with new data
The signature verification will fail and the license check will be rejected.
Nonce Validation
A nonce is a unique identifier that is generated for each request. It’s used to prevent replay attacks, where an attacker intercepts a valid response and sends it multiple times to bypass the license check.
Here’s how it works:
- Your plugin generates a random UUID to use as the nonce and includes it in the validation request
- The MC License server receives the request with your nonce and includes the exact same nonce in its response
- The server signs the response data which includes the nonce
- Your plugin verifies that the response contains exactly the same nonce it sent
- If the nonces don’t match, the response is rejected.
Together with RSA signature verification, this ensures that responses are both authentic (from our server) and can only be used once (not replayed).