Secure algorithm for creating license keys?
https://stackoverflow.com/questions/1015573
-
06-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I would like to distribute an application, but have license key that they can enter to unlock. What is a good algorithm to create a concise key that contains information about what version they have purchased, as well as additional things such as duration of license, etc.
I realize this protection can be cracked, but it keeps honest people honest. I may or may not implement online activation, but I am mainly concerned with a good way to generate these keys.
We have all seen this situation, what algorithm works best? Should I ask for a plaintext name of the user and use that to create a unique product key based off of their own information?
Is there a system that can be used to make it near impossible to generate a valid key?
Perhaps a public/private keypair encryption situation where only the manufacturer has the private key and the data can be validated by a public key, but the public key cannot be hijacked to create valid keys.
As this is a product key, it would be great if it were fairly short, 64 characters or maybe 128 max, but the shorter the better, 32 or less would be great.
Solution
You didn't say what platform you are on, but here's one in Microsoft .Net:
http://jclement.ca/devel/dotnet/reallysimplelicensing.html
This page documents a very simple licensing scheme that you can use with your .NET application. It is intended to be fairly secure, easy to implement and easy to extend. The sample version allows you to provide license files with a client name embedded in them but you can easily extend it to add other identifying information, machine bindings, expiry dates, etc.
This scheme makes use of Microsoft's RSA library and XML Signing. Basically you put whatever you want into an XML Document and sign that document. Then you can provide that file to your customer and the application can read the license information out of that file. Since the file is digitally signed the license file can NOT be tampered with unless you release your private key (which you really shouldn't do).
OTHER TIPS
No Internet Access and Shot Keys
Regarding serial key size, there is a trade off between short/human readable keys (less secure) and having long keys or possibly license files (more secure).
If you want short and human readable keys that allow you to store things such as expiration date and features, you could use SKGL together with Software Protector, which are both open source (https://help.cryptolens.io/faq/what-is-skgl).
However, the drawback is that they will most likely use symmetric cryptography and/or store the key generation algorithm inside the application. This means that the end user can attempt to find the encryption key and/or the algorithm (please see http://www.codeproject.com/Articles/764610/Licensing-systems-in-NET).
Internet Access (or offline with activation files)
A better alternative is to use a cloud based system that keeps track of all the license keys and allows you to modify them at any time.
If you have a web based licensing system, you can keep the keys shorter and not have to store information inside the actual key (which is the case with most offline based systems).
Moreover, you will be able to support more licensing models, for instance, subscription based model.
The solutions are:
build such system yourself - which will take a lot of time and distract you from the core features of the app.
use an existing open source system as the starting point - although it might be tempting since it's open source and free of charge, it will take time to bring them to the cloud + configure it to your particular needs + maintain it. the open source systems I've observed tend to be very broad in functionality, which contributes to complexity.
outsource to third party - the disadvantage is that most of them are not free of charge.
In my mind, the entire procedure should be outsourced to a third party that is specialized in developing that particular component. Once you scale, you might need to change the licensing logic. Instead of developing it yourself, chances are that the third party already supports that scenario.
There are several solutions out there (make sure to look for those that are web based), Cryptolens is one example. If you are developing a .NET application, here is step by step example: https://help.cryptolens.io/examples/key-verification.
Disclaimer: I'm the author of SKGL/Software Protector, the article about licensing systems, and Cryptolens.
