Generating a per-PC activation code for a non web-aware application

Question

A customer wants their product to require users to enter a machine-specific code, so that they can only run it on one machine... if they want to use it elsewhere they get a deactivation code from the first machine and send that back to prove this.

If the app could talk to their server this could be made much smoother but this is not the case. I thought of a workflow but it's a bit convoluted:

1. Customer purchases a license and is emailed a serial code
2. Customer installs App and is prompted for serial code
3. App generates a machine-specific code and performs some operation combining this with the serial code, providing this PC-Code to the Customer
4. App now requests an Activation code, once entered it will run
5. Customer sends PC-Code to Vendor who check it's valid against their recorded serial code, and using both generates an Activation code which they send to the Customer

The idea is PC-Code and Activation Code are both short, more like pin-numbers, so it's not too horrific... but is there a better system? And how can specific steps be implemented?

I personally don't like restricting the customer so much but it's not my call, it's been argued to death already :)

Answer 1

By using an activation code step you are effectively forcing the customer to be your internet connection. Unfortunately without this step you can't tie them down to a machine.

The biggest problem is going to be your deactivation code - if the customer writes down their activation code what's to stop them using it to reactivate their PC again?

The only way would be to have your activation code somewhat based on date so that they get a week or month to enter it. They'll probably never notice an issue unless they need to a reinstall in which case you can reissue another activation code (provided there isn't an outstanding non-deactivated code for a different machine).

How programming-competent are your customers and how motivated will they be to crack your software?

This article provides some good ways on getting hardware information.

Answer 2

This is why hardware keys are used, you cannot physically plug it into two devices at once. The only method with software requires a trusted third party to manage quorum, i.e. authentication servers over the Internet.

One popular unique identifier for Unix licensing is the hostid. A modern alternative would be to include a secure token generator such as the RSA SecurID. Have the administrator read the token over the phone to the vendor, pass through some algorithm to generate a key to unlock the software.

Everything else is going to be smoke and mirrors.