Hi,
I want to create a license key, which cryptography algorithm would you recommend?
Basically the inputs would be:
company name major version number date created expirey date has feature1: has feature2: has feature3:
e.g. Acme Inc 5.0 20081102 20081102 0 1 0
The answers to your other question are appropriate here, too: http://stackoverflow.com/questions/258721/which-built-in-net-crypotgraphy-algorithm-is-the-most-secure
If you are doing validation on the customer-side, you want to use asymmetric encryption. That way you do not have to distribute the private key to the customer. I would generate a RSA signature using SHA-256 and a 2048 bit key. If you do that, the cryptographic operations will not be the weak link. A cracker could of course change the code to skip the verification step, but no cryptographic algorithm will help that.
If you are doing validation server-side, I would choose a SHA-256 based HMAC.
I would recommend don't spend too much time on securing your keys with byte compiled languages it is very easy to decompile and just make the application skip the validation step. No matter how secure your keys are. They don't matter when your validation function always return true. Serial keys are there to keep honest people honest.
If you would like to see an example of Triple DES encryption, you can take a look at my blog post on encrypting data in a database.
The blog post contains a video and the source code.
Although it focuses on encrypting string columns in the database, you can definitely modify it to work with licensing fields.
The source code is written in C# and uses Triple DES algorithms.
If you want an example of using the Crypto classes, Jeff Atwood has a good article at CodeProject on a simplified wrapper for the .NET cryptography classes.
You need to do 4 things:
No 1: Checksum your application (MD5, with custom md5 context)
- MD5 context needs to be encryptedly initialized
- Compare agains private/public key encrypted checksum
No 2: Checksum your running application's text segment
No 3: Use 4096-Bit RSA Private-Public key encrypting for the license
No 4: Encrypt any crucial strings, like "Wrong key" or "Key ok"
For a license key you are not so much interest in encrypting it, but on signing it. By signing it you can validate that the expiry date and enabled feature list was not tampered with. There is no need to hide (encrypt) the license key, as there is no threat you want to mitigate by hiding the license from the end user.
Cryptographic signatures are done by hashing the license and then encrypting the hash with a private key. Since anyone can decrypt that hash using the corresponding public key, anyone can verify if the license was tampered with.
The basic CryptoAPI function to sign and verify are CryptSignHash and CryptVerifySignature, see Example C Program: Signing a Hash and Verifying the Hash Signature.
The .Net Framework equivalent are the RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter classes.