开发者

Looking for a license key algorithm [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

开发者_运维技巧

Closed 7 years ago.

Improve this question

There are a lot of questions relating to license keys asked on Stack Overflow. But they don't answer this question.

Can anyone provide a simple license key algorithm that is technology independent and doesn't required a diploma in mathematics to understand?

The license key algorithm is similar to public key encryption. I just need something simple that can be implemented in any platform .NET/Java and uses simple data like characters.

Answers written as Pseudo code are perfect.

So if a person presents a string, a complementary string can be generated that is the authorisation code. Below is a common scenario that it would be used for.

  1. Customer downloads software which generates a unique key upon initial startup/installation.
  2. Software runs during trial period.
  3. At end of trial period an authorisation key is required.
  4. Customer goes to designated web-site, enters their code and get authorisation code to enable software, after paying :)

Don't be afraid to describe your answer as though you're talking to a 5yr old as I am not a mathematician.


There is no reliable licensing algorithm. Really. Not even one. For the most popular, most expensive proprietary software you can buy, you can also find "key generators" and hacked versions that don't require licensing.

Instead of worrying about making it "unbreakable", just do something simple. A popular mechanism is to, at purchase, ask for the user's name, and then give him a license key that's derived from a cryptographic hash (e.g. MD5 sum) of the user's name, or some variation on it. Then, in the software you ask for their name again, plus the registration key (that MD5-derived thing); you check to see that they match, which activates the software.

Can this be hacked? Absolutely. Once someone figures out how you're generating the license keys, they can generate their own. But if you keep a database of the "official" license keys you've generated so far, at least you'll be able to identify the fraudsters later on (perhaps when they try to download "premium" content or something).

But don't worry so much about stopping the hackers from cracking your code. It's going to happen, but they're such a tiny part of the market that it won't significantly affect your overall sales.


I use a system like this:

• create a string from windows licence key + trial period end date

• generate a hash (Sha/md5) from the string

• convert the trial end date to an int (e.g. Number of days)

• the key becomes trial end date + some part of the hash

• convert the key to only uppercase characters to make it easier to enter

ABCD-DEFG-HIJK...

the validation works like

• convert key to bytes again

• extract trial end date

• create string from windows licence key + trial end date

• hash

• compare hash with rest of key

this makes it difficult enough for my audience.


The answer is that no, there isn't a secure license key algorithm that doesn't require a mathematical diploma to understand.

The best license keys are the ones digitally signed with an asymmetric encryption algorithm. You sign the key data with a private encryption key and embed the signature in the key, and the key validation (which implies signature verification among other things) is done with a public key. This way, no one can create license keys unless they have access to the private key which is...private. The problem is that there are very few (and difficult) algorithms which have sufficiently short signature sizes to be embedded in a product key. RSA is not one of them (signature size for RSA512 is 1024 bits - too much).

You can check out SoftActivate Licensing SDK it uses elliptic curve cryptography to generate short, digitally signed license keys (C++/C# source code is available).


In all honesty, what you're trying to do is pointless. However much time it takes you to write a validation/encryption/key system, estimate roughly half that for someone to break it. Even if you encrypt the final executable. However, as a delaying measure or a way to decrease the chance of people getting premium support for stolen copies, it will help. Also for simple tracking of buyers. Or for fun. :p

Anyway, there are a few ways you can handle it. A lot of software uses name (and possibly company) string(s) and a hash function to generate a key. This has the advantage of being constant (as long as the name is the same, the hash is, and so the key is). It is also a very simple system, especially if you use a well-known hash such as MD5.

hash = md5(name);

Some fancier apps use an internal function to generate a validation code of some sort, and when you combine that and the given name, you can create (and send back) a hash.

validCode = getCode(name);
hash = myHash(name ^ validCode);

A few use a system-based code (Windows is a good example), where it samples bits of hardware and builds an identifier from that. If you can get ahold of the processor name or speed, or anything else, you can run something like that. The only problem is system changes can render a code invalid, so you can either warn your users (and give away part of the process) or let them find out accidentally (not good).

sysID = processor_name() | ram_Speed();
hash = md5(sysID & name);

You can use any combination of hash functions, data gets, string inputs, boolean operations, etc. One thing to consider is you don't need to be able to reverse the process. As long as you can replicate it with the same results (any good hash function can), you can check the hashed results against each other and make sure it's valid. The more you put in, the more complicated it'll be, but the harder it'll be to crack.

Hopefully that helps with your question.


In matters of security, not reusing a well known and tested algorithm and trying to create your own (lacking mathematical knowledge) is suicidal

Disclosure: I completely lack the mathematical degree to create such algorithm, and being frank, I don't personally know anyone who has it


Since any algorithm you make is going to get broken i would do something simple like this:

const string secretMumboJumbo = "sdfkldafskjlfajmkldsfjaewumaskldfladkkldsfklj"

//For you to generate keys
string GenerateLicenceKey(int idNr)
{
    return Sha1Hmac(key=secretMumboJumbo, messageToEncode=idNr)
}

//For clients to check if key is valid, 
bool IsKeyValid(string key)
{
   for(int i=0;i<maxNrOfLicenceKeys;i++)
      if(key == GenerateLicenceKey(i))
         return true;
   return false;
}

Maybe the checking could become too slow because it has to try every possible key but that could also be a good thing to avoid brute forcing.

Most frameworks should have an HMAC-function for SHA1 or some other hash function. Worse case you could replace this with md5(key+id)

Don't take this algorithm too seriously, it's just an example and it can probably be broken very easily as the generation-key has to be included in the client, even though it's hidden in the binary somewhere.


License keys are fairly useless in my honest opinion.
What's to stop your customer from distributing that key to others? Sure you could setup a license key server that records the number of activations but that costs money and what will happen if it goes down or goes away?

In my professional opinion, create a software that is branded uniquely to a user (encrypted inside the program of course). For example, if you goto help -> about of the software then display the person's name, phone, and possibly their address. This way if they upload it to a pirate site of some kind, not only will other people know this guys personal information...but so will you in order to charge him for more licenses or sue him.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜