The basic challenge protocol provides the means for an LSAPI-enabled application to verify that an LSAPI-compliant license system has given it legitimate permission to run.
Every license has one or more keys, called secrets, that the software publisher chooses. The publisher typically encrypts the secrets within the license and only the license server has the means to decrypt them. The basic challenge protocol supported by all LSAPI-compliant license systems works on the principle of shared secrets: the application and the license server share a secret value.
An LSAPI-compliant license system requires a minimum of four secrets, each 4 bytes (32 bits) in length. The application challenges the authenticity of a license by requiring the license system to prove that it has one of the secrets. The server can compute the correct response to the challenge only if it has the secret. It must return a mathematical function of the challenge plus the shared secret. Since the application also has the secrets on the license, it can compute the correct expected response to the challenge and check that the server's response was appropriate for the challenge. The secret itself never passes between the application and the license system in plain text.
The basic challenge protocol includes a level of mutual authentication to prove to the license system that the application has the selected secret. The protocol also helps ensure that an intruder cannot modify the parameters the application sends to the license system, or the parameters the license system returns to the application.
Additional information about the steps in the basic challenge protocol is provided in the following topics: