Encryption Product Keys : Public and Private key encryption

views:

132

answers:

Encryption Product Keys : Public and Private key encryption

I need to generate and validate product keys and have been thinking about using a public/private key system.

I generate our product keys based on

a client name (which could be a variable length string)
a 6 digit serial number.

It would be good if the product key would be of a manageable length (16 characters or so)

I need to encrypt them at the base and then distrubute the decryption/validation system. As our system is written in managed code (.NET) we dont want to distribute the encryption system, only the decryption. I need a public private key seems a good way to do this, encrypt with the one key that i keep and distribute the other key needed for decrpytion/verification.

What is an appropriate mechanism to do this with the above requirements?

NOTE: It's not to stop piracy; it's to reduce the likelyhood of novice users installing components they dont need/unauthorised to use.

.NET supports public key encryption in various ways, such as http://msdn.microsoft.com/en-us/library/ms867080.aspx. Having said this, all you'd gain is some confidence that someone with full access to the released code would not have the ability to issue their own product keys. None of this stops them from patching the client to accept anything as a valid key. That's where obfuscation fits in.

Steven Sudit 2010-06-17 00:40:43

this does not give me an answer to the question which was "What is an appropriate mechanism to do this with the above requirements?"

Aran Mulholland 2010-06-17 01:13:14

Like I said, PKE is not really relevant to your needs. If you just want to stop novice users, simply hide the installation choice unless an undocumented command-line option enables it. Then document this option only for those who need to install the needed component.

Steven Sudit 2010-06-17 16:25:21

Of course, to avoid patching, there's such a thing as code signing.

ErikHeemskerk 2010-06-18 04:38:28

@Erik: Since we're talking .NET here, I should mention that strong names are generally insufficient for this sort of thing because you can simply re-sign all of the modules with your own key.

Steven Sudit 2010-06-21 12:11:19

Don't even try to get fancy with anti-piracy. It's not worth it. I've cracked countless applications (hush) and .NET ones are by FAR the easiest. But in reality, they're all relatively easy with enough experience. If you don't believe me, check out isohunt some time.

tl;dr: It's a losing battle. Don't fight it. If you really want to win, sue infringments - but even that makes you lose.

Clark Gaebel 2010-06-17 00:56:36

This is not an answer to my question.

Aran Mulholland 2010-06-17 01:00:28

"Unauthorized component use" sounds a LOT like anti-piracy.

Clark Gaebel 2010-06-17 01:08:49

we have and administrator and a user and the software is unlikely to be cracked. we dont want the user installling the admin component. - - - if you dont want to answer the question, dont answer it. dont just tell the questioner why he should not have asked the question. the more dud answers a question has, the less likely it will actually be answered as people see it already has answers against it.

Aran Mulholland 2010-06-17 01:21:20

I agree with premise of those post but this answer is almost entirely irrelevant to the question.

Chris Marisic 2010-06-17 14:07:59

Please don't blame the messenger here. Instead, take a hint from the fact that your two answers both question your premises and offer an alternative course.

Steven Sudit 2010-06-17 16:26:16

I did something very similar. But in my case it was a simple telephone authorisation code. User would phone a number, give their company name and the operation they were performing, get a code, type it into the application and then be able to proceed.

What I did was serialise a piece of data into binary. The data included the hashed company name, operation code/expiration date, and had space to spare for future requirements. I then scattered the bits around the array to confuse it. Then I mapped each 5 bits of the binary array onto a 32 character auth-code alphabet (0-9,a-z,excluding I/O/Q/S for readability over telephone).

This resulted in a nice auth-code which was 16 characters, displayed as 4x4 blocks (####-####-####-####). It could be easily read out over the telephone, as the user only had to listen to four characters at a time, or even sent via SMS.

As with your problem, it wasn't intended to stop the code crackers at Bletchley Park, but was enough to stop the average office worker from doing something without following company procedure. And, given that scope, has been very effective.

Chris Kemp 2010-06-17 14:00:59

Why reinvent the wheel? Generate a 128-bit number and use it as a salt value when you hash the concatenated company name and related information with SHA-1. Give them the resulting number to enter. On the other end, the software will perform the same calculation and compare its hash with what the user entered. Run an obfuscater on the software to hide the shared secret. All done. This scheme is sufficiently secure, takes no effort, and does not require any novel algorithms that could have huge holes for all you know.

Steven Sudit 2010-06-18 04:43:25

ansaurus

tags:

views:

answers:

Encryption Product Keys : Public and Private key encryption

related questions