Secure algorithm for creating license keys?

I would like to distribute an application, but have license key that they can enter to unlock. What is a good algorithm to create a concise key that contains information about what version they have purchased, as well as additional things such as duration of license, etc.

I realize this protection can be cracked, but it keeps honest people honest. I may or may not implement online activation, but I am mainly concerned with a good way to generate these keys.

We have all seen this situation, what algorithm works best? Should I ask for a plaintext name of the user and use that to create a unique product key based off of their own information?

Is there a system that can be used to make it near impossible to generate a valid key?

Perhaps a public/private keypair encryption situation where only the manufacturer has the private key and the data can be validated by a public key, but the public key cannot be hijacked to create valid keys.

As this is a product key, it would be great if it were fairly short, 64 characters or maybe 128 max, but the shorter the better, 32 or less would be great.

If you're distributing standalone software that people are going to want without paying for it, it's going to get cracked. The only way I can think of reliably getting around that is to create something that depends on a server that you control.
– geofftnz
Jun 18 '09 at 22:56

+1. I think "keeping honest people honest" is the right mind set to approach this problem. Nothing can be cryptographically secure, but having some sort of unique key or number for each license can actually make it easier for business customers to account for their software, and that adds value to your product. Onerous DRM (that doesn't work) aimed at thwarting criminals (who'd never pay anyway) is just an obstacle to paying customers.
– erickson
Jun 18 '09 at 23:01

@erickson unless you screw up royally, it's relatively easy to make things cryptographically secure. What's not secure is the execution environment. If users can modify the memory on their machine, they can bypass your encryption.
– Paul McMillan
Feb 15 '10 at 11:32

@Paul - Most developers screw up cryptography royally. For example, you are talking about encryption when the application requires authenticity rather than privacy. Anyway, when I say "cryptographically secure", I'm including the key management as central to the security of the required cryptographic operation. You can't have security when your protocol requires giving the key to the attacker.
– erickson
Sep 7 '11 at 17:13

2 Answers
2

You didn't say what platform you are on, but here's one in Microsoft .Net:

http://jclement.ca/devel/dotnet/reallysimplelicensing.html

This page documents a very simple
licensing scheme that you can use with
your .NET application. It is intended
to be fairly secure, easy to implement
and easy to extend. The sample version
allows you to provide license files
with a client name embedded in them
but you can easily extend it to add
other identifying information, machine
bindings, expiry dates, etc.

This scheme makes use of Microsoft's
RSA library and XML Signing. Basically
you put whatever you want into an XML
Document and sign that document. Then
you can provide that file to your
customer and the application can read
the license information out of that
file. Since the file is digitally
signed the license file can NOT be
tampered with unless you release your
private key (which you really
shouldn't do).

This could be easily adapted to other platforms.
– Alex S
Jun 18 '09 at 23:18

Regarding serial key size, there is a trade off between short/human readable keys
(less secure) and having long keys or possibly license files (more secure).

If you want short and human readable keys that allow you to store things such as expiration date and features, you could use SKGL together with Software Protector, which are both open source (https://help.cryptolens.io/faq/what-is-skgl).

However, the drawback is that they will most likely use symmetric cryptography and/or store the key generation algorithm inside the application. This means that the end user can attempt to find the encryption key and/or the algorithm (please see http://www.codeproject.com/Articles/764610/Licensing-systems-in-NET).

A better alternative is to use a cloud based system that keeps track of all the license keys and allows you to modify them at any time.

If you have a web based licensing system, you can keep the keys shorter and not have to store information inside the actual key (which is the case with most offline based systems).

Moreover, you will be able to support more licensing models, for instance, subscription based model.

The solutions are:

build such system yourself - which will take a lot of time and distract you from the core features of the app.

use an existing open source system as the starting point - although it might be tempting since it's open source and free of charge, it will take time to bring them to the cloud + configure it to your particular needs + maintain it. the open source systems I've observed tend to be very broad in functionality, which contributes to complexity.

outsource to third party - the disadvantage is that most of them are not free of charge.

In my mind, the entire procedure should be outsourced to a third party that is specialized in developing that particular component. Once you scale, you might need to change the licensing logic. Instead of developing it yourself, chances are that the third party already supports that scenario.

There are several solutions out there (make sure to look for those that are web based), Cryptolens is one example. If you are developing a .NET application, here is step by step example: https://help.cryptolens.io/examples/key-verification.

Disclaimer: I'm the author of SKGL/Software Protector, the article about licensing systems, and Cryptolens.

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

搜尋此網誌

Dfyjkt