How can I create a Product Key for my C# App

Question

How can I create a Product Key for my C# Application?

I need to create a product (or license) key that I update annually. Additionally I need to create one for trial versions.

Thanks!

Related:

• How do I best obfuscate my C# product license verification code?
• Web-based license activation
• How do you protect your software from illegal distribution?
• Best activation key software for .NET application?

Answer 1

The trick is to have an algorithm that only you know (such that it could be decoded at the other end).

There are simple things like, "Pick a prime number and add a magic number to it"

More convoluted options such as using asymmetric encryption of a set of binary data (that could include a unique identifier, version numbers, etc) and distribute the encrypted data as the key.

Might also be worth reading the responses to this question as well

Answer 2

There are some tools and API's available for it. However, I do not think you'll find one for free ;)

There is for instance the OLicense suite: http://www.olicense.de/index.php?lang=en

Answer 3

You can do something like create a record which contains the data you want to authenticate to the application. This could include anything you want - e.g. program features to enable, expiry date, name of the user (if you want to bind it to a user). Then encrypt that using some crypto algorithm with a fixed key or hash it. Then you just verify it within your program. One way to distribute the license file (on windows) is to provide it as a file which updates the registry (saves the user having to type it).

Beware of false sense of security though - sooner or later someone will simply patch your program to skip that check, and distribute the patched version. Or, they will work out a key that passes all checks and distribute that, or backdate the clock, etc. It doesn't matter how convoluted you make your scheme, anything you do for this will ultimately be security through obscurity and they will always be able to this. Even if they can't someone will, and will distribute the hacked version. Same applies even if you supply a dongle - if someone wants to, they can patch out the check for that too. Digitally signing your code won't help, they can remove that signature, or resign it.

You can complicate matters a bit by using techniques to prevent the program running in a debugger etc, but even this is not bullet proof. So you should just make it difficult enough that an honest user will not forget to pay. Also be very careful that your scheme does not become obtrusive to paying users - it's better to have some ripped off copies than for your paying customers not to be able to use what they have paid for.

Another option is to have an online check - just provide the user with a unique ID, and check online as to what capabilities that ID should have, and cache it for some period. All the same caveats apply though - people can get round anything like this.

Consider also the support costs of having to deal with users who have forgotten their key, etc.

edit: I just want to add, don't invest too much time in this or think that somehow your convoluted scheme will be different and uncrackable. It won't, and cannot be as long as people control the hardware and OS your program runs on. Developers have been trying to come up with ever more complex schemes for this, thinking that if they develop their own system for it then it will be known only to them and therefore 'more secure'. But it really is the programming equivalent of trying to build a perpetual motion machine. :-)

Answer 4

Who do you trust?

I've always considered this area too critical to trust a 3rd party to manage the runtime security of your application. Once that component is cracked for one app, it's cracked for all apps. Happened to Discreet in 5 minutes once they went with a 3rd party license solution for 3dsMax years ago... Good times!

Seriously consider rolling your own for having complete control over your algorithm. If you do, consider using components in your key along the lines of:

• License Name - the name of client (if any) you're licensing. Useful for managing company deployments - make them feel special to have a "personalised" name in the license information you supply them.
• Date of license expiry
• Number of users to run under the same license. This assumes you have a way of tracking running instances across a site, in a server-ish way
• Feature codes - to let you use the same licensing system across multiple features, and across multiple products. Of course if it's cracked for one products it's cracked for all.

Then checksum the hell out of them and add whatever (reversable) encryption you want to it to make it harder to crack.

To make a trial license key simply have set values for the above values that translate as "trial mode".

And since this is now probably the most important code in your application/company, on top of/instead of obfuscation consider putting the decrypt routines in a native dll and simply pinvoke to it.

Several companies i've worked for have adopted generalised approaches on this to great success. Or maybe the products weren't worth cracking ;)

Answer 5

Whether it's trivial or hard to crack, I'm not sure that it really makes much of a difference.

The likelihood of your app being cracked is far more proportional to its usefulness rather than the strength of the product key handling.

Personally, I think there are two classes of user. Those who pay. Those who don't. The ones that do will likely do so with even the most trivial protection. Those who don't will wait for a crack or look elsewhere. Either way, it won't get you any more money.

Answer 6

if you are asking about the keys that you can type in likes windows product keys, then they are based on some checks. if you are talking about the keys that you have to copy paste, then they are based on digitial signature (private key encryption)

a simple product key logic could be to start with saying that product key is four 5 digit groups like abcde-fghij-kljmo-pqrst, and then go on to specify internal relationships like f+k+p should equal a, meaning the first digits of the 2, 3 and 4 group should total to a. this means that 8xxxx-2xxxx-4xxxx-2xxxx is valid, so is 8xxxx-1xxxx-0xxxx-7xxxx. Of course, there would be other relationships as well, including complex relations like, if the second digit of the first group is odd, then the last digit of the last group should be odd too. this way there would be generators for product keys and verification of product keys would simply check if it matches all the rules.

encryption are normally the string of information about the license encrypted using a private key (== digitally signed) and converted to base 64. the public key is distributed with the application. when the base64 string arrives, it is verified (==decrypted) by the public key and if found valid, the product is activated.

Answer 7

There is this option as well. After reading about it I really wish I could use it.

http://www.microsoft.com/slps/

I really like the idea of blocking parts of code based on the license. Hot stuff, and the most secure for .net. Interesting read even if you dont use!

Microsoft® Software Licensing and Protection (SLP) Services is a software activation service that enables independent software vendors (ISVs) to adopt flexible licensing terms for their customers. Microsoft SLP Services employs a unique protection method that helps safeguard your application and licensing information allowing you to get to market faster while increasing customer compliance.

Note; this is the only way I would release a product with sensitive code (such as a valuable algorithm).

Answer 8

I have to admit I'd so something rather insane.

1. Find a CPU bottleneck and extract it to a P/INVOKEable dill.
2. As a post build action, encrypt part of the DLL with an XOR encryption key.
3. Select a public/private key scheme, include public key in DLL
4. Arrange so that decripting the product key and XORing the two halves together results in the encryption key for the DLL.
5. In the DLL's DllMain code, unprotect (PAGE_EXECUTE_READWRITE) and decript with key.
6. Make a LicenseCheck method that makes a sanity check of the license key and parameters, then checksums entire dll, throwing license violation on either. Oh, and do some other initialization here.

When they find and remove the LicenseCheck, what fun will follow when the DLL starts segfaulting.

Answer 9

Use a strong cryptographic licensing system based on public/private keys. Consider CryptoLicensing - it supports full as well as trial licenses.

Answer 10

If you want a simple solution just to create and verify serials try Ellipter It uses elliptic curves cryptography and has an "Expiration Date" feature so you can create trial verisons or time limited registration keys.

Answer 11

Another good inexpensive tool for product keys and activations is a product called InstallKey. Take a look at www.lomacons.com