Automated processes for providing signed, encrypted or validated documents or other content have been developed. Signed or validated content can comprise or be used in connection with license key files that are automatically generated by a trusted process, without human intervention. Systems for automatically generating signed content are often accessible from public networks. Because of this, the security and integrity of such processes is a concern.
Previous processes for generating signed or validated content have the signing or encrypting key and algorithm embedded in the generating process itself, or the generating process may make a call to an encryption or signing program. Such solutions require one of the following: (1) the private key is known to the generating process; (2) the passphrase protecting the private key is known by and embedded in the generating process; or (3) there is no passphrase protecting the private key. As a result, attacking or otherwise tampering with the signing or encrypting process can be easily achieved.
As an example, conventional processes for automatically generating and delivering access to content for limited times generally include a content (in this case a license file) generation module and an encryption or signing module. According to conventional systems, the content generation module must pass the passphrase of the private key used to sign or encrypt the content to the encryption or signing module as clear text. Alternatively, the private key is unprotected. As a result, an attacker can attack the content generation module, which is traditionally less secure than the signing module, to gain access to the private key. Accordingly, such conventional processes are vulnerable to attack.