views:

1305

answers:

5

Hi,

I am trying to create a unique CD-KEY to put in our product's box, just like a normal CD-KEY found in standard software boxes that users use to register the product.

However we are not selling software, we are selling DNA collection kit for criminal and medical purposes. Users will receive a saliva collection kit by mail with the CD-KEY on it and they will use that CD-KEY to create an account on our website and get their results. The results from the test will be linked to the CD-KEY. This is the only way that we will have to link the results to the patients. It is therefore important that it does not fail :)

One of the requirements would be that the list of CD-KEYs must be sufficiently "spread" apart so that there is no possibility of someone entering an incorrect CD-KEY and still having it approved for someone else kit, thereby mixing up two kits. That could cost us thousands of dollars in liability.

For example, it cannot be a incremental sequence of numbers such as
00001
00002
00003
...
The reason is that if someone receives the kit 00002, but registers it as 000003 by accident, then his results will be matched to someone else. So it must be like credit card numbers... Unless a valid sequence is entered, your chances of randomly hitting a valid number is 1 in a million...

Also, we are selling over 50,000 kits annually to various providers (who will generate their own CD-KEYS using our algorithm) so we cannot maintain a list of all previously issued CD-KEYS to check for duplicate. The algorithm must generate unique CD-KEYs.

We also require the ability to verify that the CD-KEY is valid using a quick check algorithm, so that we can inform the user if the code he enters is invalid. This leaves out many hashing or MD5 algorithms I believe. And it cannot be a 128 bit because, who would take that time to type it out on the computer screen?

So far this is what I was thinking the final CD-KEY structure would look like

(4 char product code) - (4 char reseller code) - (12 char unique, verifiable CD-KEY)

Ex. 384A - GTLD - {4565 - FR54 - EDF3}


To insure the uniqueness of the KEYS, I could include the current date (20090521) as part of the source. We wont generate unique keys more than once a week, so this value changes often enough for the purpose of unique initial value.

What possible algorithm can I use to generate the unique keys?

A: 

Credit Card numbers use the Luhn algorithm you might want to look at something similar to that.

Tom
The Verhoeff algorithm reference there looks much better in that it will catch transpozition errors.
JonnyBoats
+1  A: 

I use SeriousBit Ellipter link for software protection but I don't see any reason you could generate a group of unique keys each week and us the library to verify the key validity when entered into your web site. You can also encode optional services into the key allow you to control how the sample is processed from the key (that's if you have different service levels).

As it uses an encrypted method of key generation in the first place and it's relatively cheap, it's certainly worth a look I would say.

Lazarus
Thanks for the suggestion. I tried the trail and I was a bit disappointed. If I change the serial number at the end 00001, 00002, etc. the cd-key it returns has only 1 value in it that is changed.
Alexandre H. Tremblay
A: 

Use a substring of a GUID. Or an MD5 of a GUID if you want it to be shorter and almost guaranteed random.

ck
-1 GUID substrings are not guaranteed to be unique!! - http://blogs.msdn.com/oldnewthing/archive/2008/06/27/8659071.aspx
Miky Dinescu
@Miky D - that's why I suggested using the MD5 of a GUID. ALso, I don't think these are going to be generated in a particularly high volume, so the likelihood of clashing is low
ck
A: 

Generate GUID and catenate a random number to it. GUID is guaranteed to be unique and random number will make it improbable to hit a code accidentally. Just don't modify the GUID in any way or you might compromise the uniqueness.

http://msdn.microsoft.com/en-us/library/aa475087.aspx

abababa22
+2  A: 

Create the strings <providername>000001, <providername>000002, etc. or whatever and encrypt them with a public key, and that's your "CD-KEY" that the user enters. Decrypt the CD-KEY with the private key and validate that when decrypted you get a valid string with a valid provider name.

Die in Sente
Thanks this is exactly what I was looking for.
Alexandre H. Tremblay
Don't you mean encrypt with a private key, decrypt with a public key?
Cam