I am thinking I’ll just create a list of product keys and issue one of these keys to the customer when they make a purchase. In the app I’m selling I’ll have code that checks the key to see if it meets some scheme I’ll come up with. I know if it is decompiled that the scheme will be known but it sounds like it’s not worth worrrying about that.

First, it appears that it does not matter how you impliment a product key protection scheme for your app as there will always be a group of hackers who will decomplie your app to learn how the product key protection scheme works.

Second, it appears that the next group of hackers may not go to the trouble to decompile but spent time trying to crack the scheme used to create the product key itself.

I read where one way to keep the hackers at bay is to “patch” (whatever that means) the app so that the product key protection scheme is changed regularly in some small way. Does not doing this break the keys issued for earlier “patched versions” of the app?

I am thinking I’ll just create an app to generate a list of product keys and issue one to the customer when they make a purchase. In the app I’ll have code that checks the key to see if it meets some scheme I’ll come up with. I know if it is decompiled that the scheme will be known but it sounds like it’s not worth worrrying about that.

Any thoughts on my thoughs?
TD

Yeah, I liked the cryptography advice in “Blue Skies for Everyone”, though you kinda have to read between the lines to get it.

Also, I heard Bruce Schneier had his own rock and roll song steganographically embedded into the text of Applied Cryptography. Who would have thunk it?

:)

Best regards

I’m particularly concerned about allowing the legitimate user to use the software from more than on location (laptop, home etc), but not allowing duplicate users on the same license – hence license server.

Anyway, Justin: you are right. What Patrick means (I think :) ) is to use a signature and to check that signature with the public key. I’m also not quite sure why you’d need to use a hash of the identifying data or the relevance of the md5 remark. As far as I can tell (and how I’ve implemented it :) ) it’s enough to make a signature of the username and any eventual other identifying information. You then check the signature with the public key which you’ve embedded in your application.

i think only assymetric cryptography SIGNATURES can prevent forged license codes. the license code should be digitally signed (not encrypted) by the software publisher using a private secret key. then the software embeds the public key and verifies the signature. inspecting the code won’t help hackers because they’ll only find the public key there, and that is not enough to generate a signature. in other words, the product key becomes [serialNumCapabilities]+[SignatureOfPrevious]. the problem is that an RSA 512 bit key signature is 103 base32 characters, which is cumbersome for the user to type in.

Just wanted to say that this is a very good article and covers a lot of stuff that people need to know. It should probably be listed on the BoS wiki. I wrote my own registration component using a symmetric encryption technique rather than the asymmetric method of public key encryption, which seems sufficient unto my needs. I wrote the article up here: http://www.lazarusid.com/how-lazarus-registration-works.html