Looking for a license key algorithm

Question

There are a lot of questions relating to license keys asked on Stack Overflow. But they don't answer this question.

Can anyone provide a simple license key algorithm that is technology independent and doesn't required a diploma in mathematics to understand?

The license key algorithm is similar to public key encryption. I just need something simple that can be implemented in any platform .NET/Java and uses simple data like characters.

Written as Pseudo code is perfect.

So if a person presents a string, a complementary string can be generated that is the authorisation code. Below is a common scenario that it would be used for.

1. Customer downloads software which generates a unique key upon initial startup/installation.
2. Software runs during trial period.
3. At end of trial period an authorisation key is required.
4. Customer goes to designated web-site, enters their code and get authorisation code to enable software, after paying :)

Don't be afraid to describe your answer as though you're talking to a 5 yr old as I am not a mathemetician.

Answer 1

In matters of security, not reusing a well known and tested algorithm and trying to create your own (lacking mathematical knowledge) is suicidal

Disclosure: I completely lack the mathematical degree to create such algorithm, and being frank, I don't personally know anyone who has it

Answer 2

There is no reliable licensing algorithm. Really. Not even one. For the most popular, most expensive proprietary software you can buy, you can also find "key generators" and hacked versions that don't require licensing.

Instead of worrying about making it "unbreakable", just do something simple. A popular mechanism is to, at purchase, ask for the user's name, and then give him a license key that's derived from a cryptographic hash (e.g. MD5 sum) of the user's name, or some variation on it. Then, in the software you ask for their name again, plus the registration key (that MD5-derived thing); you check to see that they match, which activates the software.

Can this be hacked? Absolutely. Once someone figures out how you're generating the license keys, they can generate their own. But if you keep a database of the "official" license keys you've generated so far, at least you'll be able to identify the fraudsters later on (perhaps when they try to download "premium" content or something).

But don't worry so much about stopping the hackers from cracking your code. It's going to happen, but they're such a tiny part of the market that it won't significantly affect your overall sales.

Answer 3

In all honesty, what you're trying to do is pointless. However much time it takes you to write a validation/encryption/key system, estimate roughly half that for someone to break it. Even if you encrypt the final executable. However, as a delaying measure or a way to decrease the chance of people getting premium support for stolen copies, it will help. Also for simple tracking of buyers. Or for fun. :p

Anyway, there are a few ways you can handle it. A lot of software uses name (and possibly company) string(s) and a hash function to generate a key. This has the advantage of being constant (as long as the name is the same, the hash is, and so the key is). It is also a very simple system, especially if you use a well-known hash such as MD5.

hash = md5(name);

Some fancier apps use an internal function to generate a validation code of some sort, and when you combine that and the given name, you can create (and send back) a hash.

validCode = getCode(name);
hash = myHash(name ^ validCode);

A few use a system-based code (Windows is a good example), where it samples bits of hardware and builds an identifier from that. If you can get ahold of the processor name or speed, or anything else, you can run something like that. The only problem is system changes can render a code invalid, so you can either warn your users (and give away part of the process) or let them find out accidentally (not good).

sysID = processor_name() | ram_Speed();
hash = md5(sysID & name);

You can use any combination of hash functions, data gets, string inputs, boolean operations, etc. One thing to consider is you don't need to be able to reverse the process. As long as you can replicate it with the same results (any good hash function can), you can check the hashed results against each other and make sure it's valid. The more you put in, the more complicated it'll be, but the harder it'll be to crack.

Hopefully that helps with your question.

Answer 4

I use a system like this:

• create a string from windows licence key + trial period end date

• generate a hash (Sha/md5) from the string

• convert the trial end date to an int (e.g. Number of days)

• the key becomes trial end date + some part of the hash

• convert the key to only uppercase characters to make it easier to enter

ABCD-DEFG-HIJK...

the validation works like

• convert key to bytes again

• extract trial end date

• create string from windows licence key + trial end date

• hash

• compare hash with rest of key

this makes it difficult enough for my audience.

Answer 5

License keys are fairly useless in my honest opinion.
What's to stop your customer from distributing that key to others? Sure you could setup a license key server that records the number of activations but that costs money and what will happen if it goes down or goes away?

In my professional opinion, create a software that is branded uniquely to a user (encrypted inside the program of course). For example, if you goto help -> about of the software then display the person's name, phone, and possibly their address. This way if they upload it to a pirate site of some kind, not only will other people know this guys personal information...but so will you in order to charge him for more licenses or sue him.