I've been asked to develop a key generation/validation system for some software. They would also be open to a developed open source or commercial system, but would prefer a system from scratch. Online activation would have to optional, since it is likely that some installations would be on isolated servers. I know there is kind of a user/security complex with a lot of anit-piracy techniques. So I guess I'm asking what software, libraries, and techniques are out there? I would appreciate personal knowledge, web sites, or books.
A:
If you take the hash of something, it will result (ideally) in an unpredictable string of characters.
You could have an algorithm be to take the SHA1 of something predictable (like sequential numbers) concatenated with a sufficiently long salt. Your keys would be really secure as long as your salt remains a permanent secret and SHA1 is never breached.
For example, if you take the SHA1 of "1" (your first license key) and a super secret salt "stackoverflow8as7f98asf9sa78f7as9f87a7", you get the key "95d78a6331e01feca457762a092bdd4a77ef1de1". You could prepend this with version numbers if you want.
If you want online authorization, you need three things:
- To ensure that the response cannot be forged
- To ensure that the request cannot be forged
- To ensure that if Internet is unavailable, you take appropriate action
Public key cryptography can help with items one and two. Even Photoshop CS4 has problems with item 3, that's a tricky one.
Eli
2010-01-24 03:50:25
A unique ID and salt would be a must. What makes me nervous is that if I do offline verification my secret has to be in code.
kevin52408
2010-01-24 17:01:37
Yeah, and offline verification makes it trickier to change things later (like adding and removing serials). If at all possible, I'd try to do online. Just remember, if people try hard enough, they will figure out how to crack the code. Photoshop is Adobe's biggest cash cow and it's usually cracked nearly immediately after launch. I think being nice to your users, charging reasonable rates, and offering good customer support are the best anti-piracy techniques available.
Eli
2010-01-24 18:06:00
A:
I'm biased - given that the company I co-founded developed the Cobalt software licensing solution for .NET - but I'd suggest you go with a third-party solution rather than rolling your own.
Take a look at the article Developing for Software Protection and Licensing, which makes the following point:
We believe that most companies would be better served by buying a high-quality third-party licensing system. This approach will free your developers to work on core functionality, and will alleviate maintenance and support costs. It also allows you to take advantage of the domain expertise offered by licensing specialists, and avoid releasing software that is easy to crack.
Another advantage to buying a third-party solution is that you can quickly and easily evaluate it for suitability; with an in-house system you have to pay in advance for the development of a system that may not prove adequate for your needs. Choosing an high-quality third party system dramatically reduces the risk involved in developing a solution in-house.
If you're dead set on rolling your own, a word of advice: test on the widest range of client systems possible. Real-world hardware is weird, and Windows behaviour varies quite dramatically in some ways between versions.
You'll almost certainly have to spend a lot of time ironing the creases out of whatever hardware identification system you implement.
Duncan Bayne
2010-01-27 04:42:13
Since right now I'm just trying to do a survey it doesn't really matter to me if you are biased. ;) Thanks for the links and info.
kevin52408
2010-01-27 17:33:38