Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Algorithm for activation key- Security

I'm writing a software application that the user needs to buy a license for and activate it. I need suggestions on how to start about writing a powerful algorithm for code generation and of course, code checking. I know that people can reverse engineer the code and make a keygen, however, my question is two parts:

  1. In general, regardless of the application being cracked this way, how can I start writing an algorithm to accept a certain Serial or String or a combination. (e.g is that the right thing? e.g: the first number is from 3-9 the second should be the first - 3, while the third number should be the second * + ....whatever...??)

  2. What is the best approach for protecting a Desktop application from piracy without dealing with the internet. Is it the algorithm (make it harder to reverse engineer), protect the source code from being seen after application is installed somewhere?? ...??

PS: Maybe it is worth to mention that I am using Java as my development language. Thanks

like image 465
Saher Ahwal Avatar asked Aug 01 '10 20:08

Saher Ahwal


People also ask

How are activation keys generated?

Generate keys by encrypting (with a private key) a known value + nonce. This can be verified by decrypting using the corresponding public key and verifying the known value. The program now has enough information to verify the key without being able to generate keys.

What is key generator software?

A key generator (key-gen) is a computer program that generates a product licensing key, such as a serial number, necessary to activate for use of a software application.

Where is my Windows activation key?

Generally, if you bought a physical copy of Windows, the product key should be on a label or card inside the box that Windows came in. If Windows came preinstalled on your PC, the product key should appear on a sticker on your device. If you've lost or can't find the product key, contact the manufacturer.


2 Answers

  1. It sounds like you might benefit from the public-key cryptography approach.

  2. This can be broken down into two sub points:

    • A. Have you read this thread here on SO? It might give you some breadth on the issue.
    • B. As @Jaka said, it's not a great challenge (from what I've read) to produce human readable code from Java byte code. You can run your code through an obfuscator to make it more difficult for someone to produce human readable code from it, but if someone really wants to read your code, they'll almost always find a way. The best approach to combat this is to take the advice in the SO thread I linked to: make it easier for someone to buy your app than for someone to steal it.

(edited after stated he's using Java)

like image 109
labratmatt Avatar answered Sep 28 '22 08:09

labratmatt


For the license keys you could use an encryption with public-private keys. In this way you could either embed the private key into the software and encrypt a string which would mean something to your software (like which features of your software are licensed). Or you could embed the public and give the software a string with special meaning and sign it with your private key. The software could then check if the signature is valid.

edit: labratmatt was faster with the public-private key answer :)

Obviously second part of your protection would need to deal with making your software hard to disassemble and debug (this is how crackers examine your software and try to bypass the protection with a patch or they try to figure out how they can make a keygen). This part is actually much harder and involves techniques like encryption the whole executable and wrap it inside a loader which decrypts it at runtime. The loader can also use various techniques to detect the presence of debuggers.

edit: Since you mentioned that the application is written in JAVA, then this encrypting and packing step is even more important as JAVA can easily be decompiled into a very human readable form. There are "obfuscator" programs which mess around with the classes so that the decompilers can't generate readable code, but cracking this is still much easier than cracking something compiled to machine code.

If you don't want to spend time with developing your own protection you can also use one of commercial protection software. There are quite a lot of them to choose from and they offer numerous protection schemes (dongles, time based licenses,...)

Lots of commercial software uses packages like FlexNet, HASP, Wibu-key

like image 20
Jaka Avatar answered Sep 28 '22 07:09

Jaka