Originally Posted by yupstrips
How are Software License Keys generated?
liccense Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
The idea is that your programme knows a value that the user needs to have available in order to use the programme.
Let's say your programme looks for a "licence key" value of 123 to be stored in a certain field, or to be kept in a file, or to be kept in the registry somewhere.
If a user can determine which value your programme is checking, he can use copies of your programme without authorisation.
So instead of using a specific value of 123, instead look for, say, the HDD number of the client machine. This is generally different on all machines - well sufficiently different that any 2 PC's are likely to have different HDD numbers.
If a user determines that the number required IS the HDD number, then the system is defeated. Moreover, you most likely do not know the user's HDD number, anyway. You aren't likely to personally install your program on a user's PC.
So instead, if you get the user to send you his HDD number, and you process this in a way that is hard for the user to determine, and then send him back the result as his "licence key" - your programme can do the same thing. Read the HDD, process it, and see if the result is what you expected. If it is, the user can continue. If not, terminate the application.
so the licence key you issue to your user works on his machine, but probably doesn't work on another machine, and he most likely can't work out what you did to produce the licence key from his HDD.
Now you can do this either by encryption, or by hashing. Encryption is producing an encoded result, which can then reversed to recover the original. This cannot be done with hashing. Instead with hashing the same steps have to be taken, and the hashed result compared with the expected hashed result.
It becomes a bit trickier if you want to build in an expiry date. With encryption, such as vignere (basically this is a complex alphabetic Caesar shift cipher), you can include in the plaintext a licence expiry date as well as the HDD. After decrypting the result you recover the original data, the HDD and the expiry date.
Now, you can't manage an expiry date so easily with hashing alone. With hashing, you cannot recover the original string that produced the final hash result, so you can't determine the expiry date directly from the hash key. You can use a combination of encryption techniques and hashing.
You can download code to implement either of these methods. (MD5 hash, or a vignere cipher)
Whatever you do, your programme needs to include code either to duplicate the steps that you take to transform a message from the user into a licence key, or to reverse the encryption of the licence key back to the original data - most likely a combination of both.