Go Back   Access World Forums > Microsoft Access Reference > Access FAQs

 
Reply
 
Thread Tools Rate Thread Display Modes
Old 04-24-2013, 01:48 AM   #1
gemma-the-husky
Super Moderator
 
gemma-the-husky's Avatar
 
Join Date: Sep 2006
Location: UK
Posts: 13,462
Thanks: 51
Thanked 949 Times in 918 Posts
gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all
Securing A Database - License Key

Here's a general idea for securing a database.

You need

an encryption/decryption technique
a utility to change an encrypted byte string into a (longer) hex string (for presentation purposes)
a MD5 (say) one-way hashing algorithm
a utility to get a "secret" from your machine - say the HDD number

all of these things are available for download.


First - you need to put this into an mde/accde, as obvioulsy it's no good if users can see your code.

Now you need some "secret" you want to protect. Say you want an expiry date for your aplication. You also may want to read something unique to the machine - maybe the HDD code.

put the date and HDD code together into a string - you could interleave or process these in any way you want

Now, encrypt this again using your encryption technique. A simple xor system may be sufficient, although there are more complex methods.

Turn the resultant string into a Hex String - it's better to get printable chars than strange non-printable chars.

In order to do this all remotely, your client/installation presents this string to you.

now take a MD5 hash of the HEX string

take a few characters from selected positions in the MD5 hash, and insert them into your hex string to make a longer HEX string

this is the license key you issue to your users, which does not now need to be hidden from users - they need to see this one

encrypt it all again, if you want, and turn it into another Hex string.

send this string back to your users

--------

so - to use the licence key

-decrypt the licence key, if you encrypted it again

- take out the MD5 characters you inserted into the string in the first place, and store them in a variable

- this leaves you with the original encrypted string, and the characters you just stripped out. Now do a MD5 of the encrypted string, and make sure it gives you the same check characters. If it doesn't reject the string

The likelihood of someone working out which characters you added to the string from the MD5 hash to produce the final string are negligible, I would think, but if you obfuscated further by re-encrypting the entire string, it becomes pretty random.

- this now leaves you with the original encrypted stuff, which you can reverse to recover the original license date, and machine HDD, which you test to make sure the license date has not expired, and the HDD is correct.

----
the main thing here is the MD5 hash. MD5's are one way functions. Knowing the final MD5 hash does not help you recover the original string that produced it. There are databases to test MD5's - which is why you need to start with a pretty random string in the first place.

If you just took an MD5 of a date, I suspect the databases would have this stored in their records.

HDD's are not unique, but are random enough for your database to not automatically be able to be run on any other random machine - but there are other secrets you could lift off your machine, if you want something else. HDD is quicker to get at than some things though.

This whole validation process is very fast, and produces no noticeable delay.


-----
obviously your database has to include all the code necessary to reverse all these processes - so reverse engineering code could identify all the steps you took to encrypt everything. The only way round this I suppose is to require an active online connection - to do some of this checking away from the client's machine, but I suspect this would be taking it all too far.


I hope this helps.

__________________
Dave (Male!)
Gemma was my dog

if a poster helps you, please click the scales at the top right of this posting, or use the thanks button alongside.
gemma-the-husky is offline   Reply With Quote
The Following User Says Thank You to gemma-the-husky For This Useful Post:
Rx_ (03-31-2016)
Old 04-28-2013, 01:53 AM   #2
Lehti
Newly Registered User
 
Join Date: Apr 2013
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Lehti is on a distinguished road
Re: Securing A Database - License Key

Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?
Lehti is offline   Reply With Quote
Old 05-02-2013, 02:23 AM   #3
gemma-the-husky
Super Moderator
 
gemma-the-husky's Avatar
 
Join Date: Sep 2006
Location: UK
Posts: 13,462
Thanks: 51
Thanked 949 Times in 918 Posts
gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all
Re: Securing A Database - License Key

Quote:
Originally Posted by Lehti View Post
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?

yes - one way is to build in something that sets an expired flag on expiry - and test that in case the date was reset. so then you have to find a way of obfuscating that flag, too!

The idea was more about the general principle of how to protect a database

__________________
Dave (Male!)
Gemma was my dog

if a poster helps you, please click the scales at the top right of this posting, or use the thanks button alongside.
gemma-the-husky is offline   Reply With Quote
The Following User Says Thank You to gemma-the-husky For This Useful Post:
Steve C (05-04-2013)
Old 05-01-2013, 08:42 AM   #4
speakers_86
I am jack's comment.
 
speakers_86's Avatar
 
Join Date: May 2007
Location: JBLM, Wa
Posts: 1,919
Thanks: 11
Thanked 157 Times in 119 Posts
speakers_86 will become famous soon enough
Re: Securing A Database - License Key

I believe AJ Trumpet posted a working sample of a license key system.
__________________
If you look, you can find anything.
Google is your friend.

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


~~~~~~~~~~~~~~~~~~~~~~~~~~~
Access 2010 screw this! I went back to 2007
Windows 7
speakers_86 is offline   Reply With Quote
Old 02-22-2017, 10:55 AM   #5
maheshashish
Newly Registered User
 
Join Date: Feb 2017
Posts: 20
Thanks: 4
Thanked 0 Times in 0 Posts
maheshashish is on a distinguished road
Re: Securing A Database - License Key

Quote:
Originally Posted by speakers_86 View Post
I believe AJ Trumpet posted a working sample of a license key system.
Hi can you please provide link for that any working sample I had searched all over google but could not find any working sample
maheshashish is offline   Reply With Quote
Old 05-04-2013, 03:23 PM   #6
Steve C
Newly Registered User
 
Join Date: Jun 2012
Posts: 120
Thanks: 51
Thanked 5 Times in 5 Posts
Steve C is on a distinguished road
Re: Securing A Database - License Key

Hi GTH, Peter's Software say that resetting the computer date doesn't fool Keyed Access. They call the feature "bullet proofing". I haven't tested it.

Thank you for this Post
Steve C is offline   Reply With Quote
Old 11-17-2014, 01:52 AM   #7
SultanSaleem
Newly Registered User
 
Join Date: Nov 2014
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
SultanSaleem is on a distinguished road
Re: Securing A Database - License Key

Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?



_________________


Last edited by SultanSaleem; 12-15-2014 at 04:39 AM.
SultanSaleem is offline   Reply With Quote
Old 11-18-2014, 08:01 AM   #8
gemma-the-husky
Super Moderator
 
gemma-the-husky's Avatar
 
Join Date: Sep 2006
Location: UK
Posts: 13,462
Thanks: 51
Thanked 949 Times in 918 Posts
gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all
Re: Securing A Database - License Key

Quote:
Originally Posted by SultanSaleem View Post
Maybe it's not relevant, but what happens if the final user changes his machine's date to one prior to the expiry? Will the database resume working?



_________________
Johni Imtiaz..!!
yes - see #4

but if you build it yourself, you can add whatever features you like, and it's free.
__________________
Dave (Male!)
Gemma was my dog

if a poster helps you, please click the scales at the top right of this posting, or use the thanks button alongside.
gemma-the-husky is offline   Reply With Quote
Old 04-08-2015, 10:57 PM   #9
Jalnac74
Newly Registered User
 
Join Date: Apr 2015
Location: NW England
Posts: 19
Thanks: 18
Thanked 0 Times in 0 Posts
Jalnac74 is on a distinguished road
Re: Securing A Database - License Key

Hi

GTH - I need to do exactly what you said in your OP but haven't got the faintest idea what most of what you said is....is there any free to use code that could do this for me?
Jalnac74 is offline   Reply With Quote
Old 04-15-2015, 04:57 PM   #10
gemma-the-husky
Super Moderator
 
gemma-the-husky's Avatar
 
Join Date: Sep 2006
Location: UK
Posts: 13,462
Thanks: 51
Thanked 949 Times in 918 Posts
gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all
Re: Securing A Database - License Key

have a look at this thread

http://www.access-programmers.co.uk/....php?p=1379374
__________________
Dave (Male!)
Gemma was my dog

if a poster helps you, please click the scales at the top right of this posting, or use the thanks button alongside.
gemma-the-husky is offline   Reply With Quote
The Following User Says Thank You to gemma-the-husky For This Useful Post:
Jalnac74 (04-16-2015)
Old 02-15-2016, 08:38 PM   #11
qupe
Newly Registered User
 
Join Date: Feb 2016
Posts: 39
Thanks: 4
Thanked 0 Times in 0 Posts
qupe is on a distinguished road
Re: Securing A Database - License Key

thanks for your effort
qupe is offline   Reply With Quote
Old 04-22-2016, 09:12 PM   #12
yupstrips
Newly Registered User
 
Join Date: Mar 2016
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
yupstrips is on a distinguished road
Re: Securing A Database - License Key

How are Software License Keys generated?
liccense Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
yupstrips is offline   Reply With Quote
Old 04-27-2016, 08:58 AM   #13
gemma-the-husky
Super Moderator
 
gemma-the-husky's Avatar
 
Join Date: Sep 2006
Location: UK
Posts: 13,462
Thanks: 51
Thanked 949 Times in 918 Posts
gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all gemma-the-husky is a name known to all
Re: Securing A Database - License Key

Quote:
Originally Posted by yupstrips View Post
How are Software License Keys generated?
liccense Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
The idea is that your programme knows a value that the user needs to have available in order to use the programme.

Let's say your programme looks for a "licence key" value of 123 to be stored in a certain field, or to be kept in a file, or to be kept in the registry somewhere.

If a user can determine which value your programme is checking, he can use copies of your programme without authorisation.

So instead of using a specific value of 123, instead look for, say, the HDD number of the client machine. This is generally different on all machines - well sufficiently different that any 2 PC's are likely to have different HDD numbers.

If a user determines that the number required IS the HDD number, then the system is defeated. Moreover, you most likely do not know the user's HDD number, anyway. You aren't likely to personally install your program on a user's PC.

So instead, if you get the user to send you his HDD number, and you process this in a way that is hard for the user to determine, and then send him back the result as his "licence key" - your programme can do the same thing. Read the HDD, process it, and see if the result is what you expected. If it is, the user can continue. If not, terminate the application.

so the licence key you issue to your user works on his machine, but probably doesn't work on another machine, and he most likely can't work out what you did to produce the licence key from his HDD.

Now you can do this either by encryption, or by hashing. Encryption is producing an encoded result, which can then reversed to recover the original. This cannot be done with hashing. Instead with hashing the same steps have to be taken, and the hashed result compared with the expected hashed result.

It becomes a bit trickier if you want to build in an expiry date. With encryption, such as vignere (basically this is a complex alphabetic Caesar shift cipher), you can include in the plaintext a licence expiry date as well as the HDD. After decrypting the result you recover the original data, the HDD and the expiry date.

Now, you can't manage an expiry date so easily with hashing alone. With hashing, you cannot recover the original string that produced the final hash result, so you can't determine the expiry date directly from the hash key. You can use a combination of encryption techniques and hashing.

You can download code to implement either of these methods. (MD5 hash, or a vignere cipher)

Whatever you do, your programme needs to include code either to duplicate the steps that you take to transform a message from the user into a licence key, or to reverse the encryption of the licence key back to the original data - most likely a combination of both.
__________________
Dave (Male!)
Gemma was my dog

if a poster helps you, please click the scales at the top right of this posting, or use the thanks button alongside.
gemma-the-husky is offline   Reply With Quote
The Following User Says Thank You to gemma-the-husky For This Useful Post:
hassanogaibi (06-28-2016)
Old 04-22-2016, 10:45 PM   #14
Uncle Gizmo
Nifty Access Guy
 
Uncle Gizmo's Avatar
 
Join Date: Jul 2003
Location: Newbury Berks UK
Posts: 9,541
Thanks: 368
Thanked 784 Times in 749 Posts
Uncle Gizmo is a jewel in the rough Uncle Gizmo is a jewel in the rough Uncle Gizmo is a jewel in the rough
Send a message via Skype™ to Uncle Gizmo
I use a Vigenère cipher to generate passwords.

https://en.m.wikipedia.org/wiki/Vigenère_cipher

Sent from my SM-G925F using Tapatalk
__________________
Code:
                 |||||
               @(~Ô^Ô~)@
-------------oOo---U---oOo-------------
|                                     |
|      Uncle Gizmo              |
|                                     |
|                                     |
| Get $20 worth of "Nifty Code"       |
|      
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
| | Ooo | |_________________ooO____( )________| ( ) ) / \ ( (_/ \_)
Uncle Gizmo is offline   Reply With Quote
Old 10-25-2016, 08:33 AM   #15
Kitoned
Newly Registered User
 
Join Date: Mar 2014
Posts: 10
Thanks: 1
Thanked 0 Times in 0 Posts
Kitoned is on a distinguished road
Re: Securing A Database - License Key

You will send to me your Email. Mine will be available when my post count comes to 10.
I shall send to you access 2003 LockFileMaker.mdb, MainFile.mdb,LockFileTemplate.mdb. The LockFileMaker shall be able to generate LockFile.mde and MainFile.mde. The LockFile shall carry the limitations in number of days for MainFile.mde to remain working. The user is given LockFile.mde and MainFile.mde and these should be in the same installation folder. For a full license you have to generate another LockFile.mde with open limitations and you send it to the user to replace the old LockFile.mde. However try to guess what could happen if the MainFile.mde is copied to another folder and dbl cliked!. You shall take it from there.
Kitoned is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Question help securing database kujeremy General 2 05-14-2010 01:18 PM
Securing Your Database homeguard General 5 04-23-2008 09:40 AM
Securing a database Scott0321 General 2 07-24-2007 11:02 AM
Securing a database harrisw General 3 02-12-2003 07:33 AM
Securing a database using VBA striker Modules & VBA 4 12-04-2002 11:18 AM




All times are GMT -8. The time now is 12:12 PM.


Microsoft Access Help
General
Tables
Queries
Forms
Reports
Macros
Modules & VBA
Theory & Practice
Access FAQs
Code Repository
Sample Databases
Video Tutorials

Featured Forum post


Sponsored Links


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
(c) copyright 2017 Access World