Comments on: Everything You Need To Know About Registration Systems

By: joske vermeulen

joske vermeulen — Mon, 10 Mar 2008 15:36:23 +0000

Typo police alert: 4th paragraph: “If you will permit be ” -> “If you will permit me “.

Anyway, Justin: you are right. What Patrick means (I think ) is to use a signature and to check that signature with the public key. I’m also not quite sure why you’d need to use a hash of the identifying data or the relevance of the md5 remark. As far as I can tell (and how I’ve implemented it ) it’s enough to make a signature of the username and any eventual other identifying information. You then check the signature with the public key which you’ve embedded in your application.

By: Justin

Justin — Mon, 03 Dec 2007 20:30:31 +0000

I’m not sure the public key encryption method works. You say to guard the private key with your life but in the next paragraph say that your software “decrypts the serial number” which requires use of the private key. a hacker look in the code to determine the encryption key and generate their own forged product key by encrypting it with the same key used for decryption. it seems that any symmetric encyrption algorithm could work just as well. another simpler approach is using a hash function in the code and making the product key = [unhashedportion]+[hash]. if the user types a product key where the second part is not the hash of the first part you know it is invalid. in other words, the approach described here is security by obscurity, and there are simpler methods than symmetric encryption to accomplish that.

i think only assymetric cryptography SIGNATURES can prevent forged license codes. the license code should be digitally signed (not encrypted) by the software publisher using a private secret key. then the software embeds the public key and verifies the signature. inspecting the code won’t help hackers because they’ll only find the public key there, and that is not enough to generate a signature. in other words, the product key becomes [serialNumCapabilities]+[SignatureOfPrevious]. the problem is that an RSA 512 bit key signature is 103 base32 characters, which is cumbersome for the user to type in.

By: Clay Dowling

Clay Dowling — Fri, 12 Oct 2007 13:51:23 +0000

Patrick,

Just wanted to say that this is a very good article and covers a lot of stuff that people need to know. It should probably be listed on the BoS wiki. I wrote my own registration component using a symmetric encryption technique rather than the asymmetric method of public key encryption, which seems sufficient unto my needs. I wrote the article up here: http://www.lazarusid.com/how-lazarus-registration-works.html

By: Tracy

Tracy — Wed, 03 Oct 2007 06:51:07 +0000

Very nice read, something I am thinking about as we are developing a piece of software. Nice to read a blog where the editor has a sense of humour

By: The Piracy Loss Formula | Flowchart Dude

The Piracy Loss Formula | Flowchart Dude — Thu, 13 Sep 2007 05:07:32 +0000

[...] the correct formula, but also that nascent microISV’s are better off implementing their own simple licensing system than relying on 3rd party tools with potential side effects. Give a little link love:These icons [...]

By: Patrick

Patrick — Wed, 04 Jul 2007 13:15:46 +0000

My first answer is “Ignore them, because they’ll win anyhow, and if they don’t win they’ll just download a cracked version of your software”. This remains my best answer. But if you really want to use your time trying to frustrate a small segment of the non-cooperative population:

But you could save the date of install in the registry somewhere, and leave it after an uninstall. The only problem with that is folks can easily use software to see exactly what keys your app leaves in the registry, and they can rollback to a “clean” state.

You can drop a file somewhere on their hard drive — ditto. Watch changes to the filesystem, revert them, done. Or, run the software in a virtual machine.

You can have your application “phone home” on install with a bit of hashed data which is personally identifiable for the computer, like say the hard drive serial number, but these things can be changed at will and phone home schemes WILL annoy honest users.

By: Jez

Jez — Mon, 18 Jun 2007 16:33:24 +0000

Patrick :

How do you handle the smart user who uninstall the trial version one day before it expires and then reinstall it ?

The Private/Public Key does not solve this problem

On windows do you have to flag something in the registry to handle this ?

By: Patrick

Patrick — Sun, 17 Jun 2007 16:56:02 +0000

Congratulations!

By: Derek Pollard

Derek Pollard — Sun, 17 Jun 2007 16:03:55 +0000

Patrick,
It has been a while, but I’m pleased to say that I have public key encryption implemented in my registration key system. Getting it running in Java was easy, then the PHP side wasn’t much harder (except that I’m a PHP novice) and once I had figured out how to share the keys it was running. What a moment that was Now that is a system that I can just reuse in future versions and products.
Cheers,

Derek.

By: Patrick

Patrick — Thu, 31 May 2007 23:53:23 +0000

Your public key will be algorithmically generated from your private key. Since it is embedded in software, no one has to type it in, so it can be as complex as you need it to be. I’d suggest 256 bits or better. Your private key, which will never be given to anyone other than yourself, will be the same length. You can fairly easily generate one of these by taking a strong password and hashing it with MD5 to the appropriate length.