Application License Generator [closed]

Question

I'm developing an application for OSX using XCode and Objective C (Cocoa) and I need a system to generate licenses for every application sold.

The system must

• generate serial number without expiration
• generate serial number that expires (for trial versions)
• handle black list
• contain API to input and check license number from OSX application

Is there something out there to do that or should I implement it myself?

Answer 1

I would implement this in one of three ways, depending on how paranoid I am.

The language you're using doesn't matter.

Method 1: RSA-signed licenses

This is the method you use if you're paranoid about someone reverse-engineering your license generator. You generate an RSA key pair, and bundle the public key with the application. Each license number is signed using the private key, and the application verifies the signature using the public key. Since you are the only one with the private key, there is near zero danger that someone will be able to make a license generator for your application.

Drawbacks: License keys are very long, probably at least 200 characters long (four lines of text). Users will not want to type these in, they will have to copy and paste.

Benefits: Near-zero chance that anyone will write a license generator. No recurring costs.

Method 2: HMAC-signed licenses

This is the method you use if you're less paranoid. Licenses are signed using HMAC and a private key, but the private key must be bundled with your application. You can obfuscate it, but it will always be possible for a smart person to extract the secret key from your application.

Drawbacks: License generator is possible.

Benefits: Short keys. You can choose to use truncated HMACs; a 64-bit signature might be "good enough" and will only be 16 characters in base 16. No recurring costs.

Method 3: Online validation

This method is both paranoid and convenient, but it requires that users have an internet connection, and it requires running a server. Each license is simply a random string of characters. A database on your server maps the random strings to licenses. When a user registers the application, it does an HTTP request to your server to get the license info corresponding to the specified string. The server replies with an RSA-signed license.

Drawbacks: Recurring cost of server. Cannot register without internet connection. Easy for you to detect pirated keys.

Benefits: Short keys. No license generators. License revocation is easy. Loss of sales to those who worry that you will go out of business.

Temporary licenses

Temporary licenses can be accomplished in three ways as well.

1. Online

2. Signed expiration date

3. Signed license term

Obviously, if you use signed license terms then users will be able to wipe their preferences to restart the license term, if they are unscrupulous. DO NOT try to hide license term information where the user will not find it, this is a breach of the user's trust that your application will not do anything nefarious. If I found any application hiding data on my computer, I would erase the app and refuse to purchase anything from the developer, I'm sure some other users feel the same way.

Blacklists

If you are an online license server, this is easy — the blacklist is on the server. Otherwise, you will have to bundle your blacklist with the application, and it will only be updated every time you release a new version.

There is the question of whether to block those who use pirated licenses. There isn't an obvious answer to this question: you may think that it would be better to block pirated licenses outright, but accepting a pirated license with a warning message is actually an opportunity to sell a new license.

Encoding

I'm sure you can come up with your own way of encoding licenses. I've seen Base 32 used, which is nice because it's hard to misread (unlike Base 64). I've also seen schemes using alternating groups of letters and numbers, which is nice because it's easy to remember your place when reading a long key.

Anatomy of a license key

Here is an example scheme for an offline license key using HMAC:

AAXX-XXXX-YYYY-ZZZZ-ZZZZ-ZZZZ-ZZZZ

• AA: the product name, shortened to two letters
• XXXXXX: a nonce
• YYYY: date of expiration, # of days since Jan 1 2013, or 0 for unlimited
• ZZZZZZZZZZZZZZZZ: signature of first part of key

For RSA keys, the ZZZ... part will be very long.

When using an online key server, the key will just be ZZZ... and does not have to be very long (12 or 16 characters).

A note about cracking

It is not possible to prevent someone from cracking your application, no matter what scheme you pick. A smart engineer can disassemble your application and disable the licensing check. Any techniques you use to hinder them will only slow them down, not stop them.