How to program a super simple software activation system?

Question

Hi, I have a piece of shareware that I wrote that I'd like to distribute on the internet. I have a serial number type thing set up but there is still a ton of key sharing :(. I'd like to add a system where once the user enters the serial, it is checked with my server to make sure that it is valid. Simplicity is key.

-Client sends MD5 of serial number to web page using php type thing "www.mywebsite.com?key=3434343"

-Php script takes MD5 and checks it against simple database. If MD5 key exists in database, it increments a counter associated with that key, and generates a webpage that displays a 1. If no entry in the database, the script generates a webpage that displays 0.

-Client reads webpage and checks for 0 or 1 and acts accordingly.

I will manually enter in valid keys (md5'd) in the database and monitor active keys for too many activations. I don't know anything about php so I don't know if this will work. Does this seem good enough? Are there blatant security holes? I will be using a shared host. Is there a better way? Thanks

Answer 1

There are actually several blatant security holes in your scheme.

The first is that users can redirect their local internet traffic to a site that pretends to be you, but always displays a "1".

The second is that each key would only be good for X "activations", but if the message is lost in transit, too bad - the counter is still incremented. You need some way to validate that everything is OK; viewing the page is not enough.

The third is that hacking the program to think it got a "1" from your site would be the easiest thing in the world.

Don't implement your own copy protection. It will just annoy legitimate users, while not even slowing down real pirates. Either use a sophisticated commercial system, or (better yet!) try to strike at whatever motive is leading users to steal your program. This might be that your price is too high, or perhaps they don't feel you respect them. People do things for a reason.

Answer 2

You're lacking a vital understanding of the key... the key is in form of MD5 which will contain both alpha and numeric characters, consider this as an example:

3c102d6b53a7a8723e694f1417c2abfe 

How are you going to generate the key? On what basis you generate the key from?

I also, see in this is the passing of the key to the website using the parameter like this:

www.mywebsite.com?key=3434343

It will take a while for the hacker to find a key...what with the advent of processor speed and key generation.... it will be cracked in no time, further more, you will be exposing your script.... do not underestimate what hackers/crackers can do to break the scripts... which is something you did not mention in your posting, no security defences of any kind!

Also, there's no mention of using security certificates to authenticate and not to scare off the end user or even worse, an antivirus scanner may flag the site as suspicious thus the end user is locked out of the application.....

BOTTOM LINE: Do not try security schemes like this as they are false economy, either way, it would be equivalent of a moth attracted to a flame, when an application "is protected", hackers/crackers will attempt to bypass it regardless of what you think..and you would be kidding yourself into thinking and deluding yourself that you're a brilliant programmer and that your dreamt-up-scheme is foolproof - DON'T...Stay away from these kind of schemes....

Answer 3

I would echo the points that have been raised in the comments about why you should consider not doing this, or at least not doing it yourself. But if you really want to (and/or for educational purposes), for a system like this I'd go for asymmetric encryption.

Basically, the idea is that you generate a public/private key pair, embed the public key in your application, and keep the private key on your server. In order to get registered, a copy of your application would send the serial number to your server. The PHP script on the server would check its database for that serial number, decide whether the registration is valid, and if it is, the server sends back the serial number encrypted with its private key. Your program can then use the public key to decrypt the message received, compare the decrypted version against the serial number, and if it matches, it can activate itself. Of course, this won't foil a (semi-)determined hacker, but it does eliminate the easiest way to get around the scheme you gave in your question, namely redirecting the request to a site which always returns a 1.

If you're worried about serial numbers traveling over the internet unencrypted, you could use the public key to encrypt the serial number before the program sends it to the server. And when the server responds, instead of sending back the encrypted serial number, it would send back (1) a random number generated on the server and (2) an encrypted hash of the random number and the serial number. Or use HTTPS, which does something similar. But if you're trying to protect against someone who has the means and motivation to intercept communications between your program and the server, you'll need more than just this simple scheme because that person almost certainly has more sophisticated tools at his/her disposal. In that case you would need a reputable commercial DRM system to have the best chance of protecting your program. And at that point, I'd ask yourself whether it's really worth it.