Generate license numbers for shareware - How ???

[Paul]

Hi,
I have spent the last couple of days researching this issue. And I have
also spent time thinking about what is needed.

I am distributing my software as shareware. When a customer orders a
license, I send him/her a printed license with a license number that
can be used to unlock certain features in the software.

A license number should consist of up to 20 numbers and letters.
Upper/lower case letters should not matter and in order to avoid
misstyping the letters I and O should not appear in the license number.

I want to make it as hard as possible to write an illegal key generator
for my license number system. Key generators hurt me most. I cannot
disable the illegally generated license numbers without also disabling
the license numbers issued to paying customers.

Cracks are a minor concern. I am updating my software in short
intervals. A crack would only work for a short period of time and users
of such a crack may even become paying customers in order to get the
latest software release.

For the license number system, I am looking into asymetric
cryptography. A number is encrypted using my private key. At runtime,
the encrypted license number is decrypted and validated using the
public key.

C# and DOTNET have build-in support for the RSA encryption engine. But
RSA requires a minimum key length of 512 bits and the output is padded
to this length. 64 bytes of binary data cannot be used as a printed
license number.

Elliptic curves can be used with smaller keys and I expect that results
in smaller encrypted output data. The problem with elliptic curves is
that I am unable to find a usable implementation.

Any ideas?

With best regards,
Paul Hoepping

 

[Paul E Collins]

I want to make it as hard as possible to write
an illegal key generator for my license number
system. I cannot disable the illegally generated
license numbers without also disabling the license
numbers issued to paying customers.

You can if you require users to connect to the Internet to validate
the licence number against your database of live ones*: that might
also give you hints as to whether many different people are using the
same key. It's a bit annoying for users, though (not everybody has an
"always-on" Internet connection, or even Internet access at all) and
might be perceived as invasive.

Eq.

* Yep, somebody could crack it to remove that entire check, but I
don't know what you can do against crackers beyond using some kind of
obfuscator.

 

[Andy]

Paul, I think there are some 3rd party tools available to help you with
this. You may want to look into them, as they will have already
overcome most of the obsticles that you will encounter (and some you
may not think to anticipate).

Its similar to encryption; its wiser to use already developed
algorithms than try to roll your own.

Andy

 

[Guest]

Could u tell me some of the third party tools that are able to do this?

 

[Andy]

Here's one such tool:
http://www.redsofts.com/soft/623/14137/DFProtectionKit.html

 

[Grant Frisken]

Could u tell me some of the third party tools that are able to do this?
--

Take a look at Infralution's Licensing System. It uses an RSA based
public key encryption system but is able to keep the license keys
reasonably short. You can download an evaluation version at:

http://www.infralution.com/licensing.html

Regards
Grant Frisken
Infralution

 

[Paul]

Hi Paul,

I do not want to enforce an online activation scheme. The software is a
(small) contact management system intended for professionals and small
companies. Such a software is usually used for many years.

I cannot guarantee that an activation would still be possible in a
couple of years. The activation of Microsoft products is annoying but
you can be reasonable certain that such an activation will be possible
in the future. If I go out of business, activation for my products
would no longer be available and the customers would no longer be able
to reinstall my products.

Thanks to the others for recommending suitable products. I will look
into them and report my findings.

With best regards,
Paul Hoepping.

 

[Paul]

Hi Grant,
thanks for the link. I have done a first, superfical evaluation. The
Infra Solutions License Key Generator created keys like this one:

9E50-EA54-D5DF-0470-27EC-B356-05C0-F114-FD73-90E8-DCCB-464E-543A-8421-B0B1-E18B-89F9-C3DB-D357-4C9C-910A-A796-2295-31BC

There are 24 Blocks of 4 letters each. The binary data seems to be
presented as hexadecimal numbers. That would mean that this represents
48 Bytes of data. If RSA is being used I would guess that you are using
a 384 bit key.

A 384 bit RSA key is not high security but it would be good enough for
a low profile shareware application like mine. And the price (US$ 80
for the software and US$80 for the source code) is acceptable.

The user would have to enter 96 characters of key data. Using the
letter 0..9 and A..Z that could be reduced to 48 characters. I am
aiming for about 20 characters.

I was hoping for a software using elliptic curves for the encryption.
Elliptic curves require shorter keys. A 128 Bit ECC key has about the
same level of security as a 1024 bit RSA key. If the data is padded up
to the key size, this would result in 16 bytes of binary data.

At the moment your product is at the top of my (short) list of suitable
products.

With best regards,
Paul Hoepping

 

[Grant Frisken]

The length of the key depends on the key strength and the length of any
ProductInfo you include in the key. The shortest keys you can generate
using our system are 8 blocks of 4 letters (ie 32 characters) - with
key strength = 7 and up to 4 characters of product info. The key
strength is basically the length of the password used to encrypt the
key. The password is validated using 1024bit RSA. A key strength of
7 is pretty good but may be susceptible to brute force attacks. A key
strength of 15 will be much stronger and generate keys of 12 x 4 = 48
letters.

Regards
Grant

 

[Paul]

Hi Grant,
ohh, I did not understand the dependency on the product info. I will
try again with less product info. Thanks !

Since I am technically interested, I am wondering how you acchieve
these short key length values. Before I started looking for a
commercial product, I did some experiments using the .NET
RsaCryptoServiceProvider class. I had 6 bytes of serial number data.
Using a 512 bit RSA key, the encryption engine produced 64 bytes (= 512
bits) of encrypted data. Reading the documentation, I got the
impression that padding of the data up to the key size is unavoidable.
At that point I started looking to other encryption technologies.

I will reread the documentation and - most likely - buy your product.

With best regards,
Paul Hoepping
http://www.hed-dress.de
http://www.hed-software.com

 

[LogicNP]

Have you looked at CryptoLicensing? It is based on RSA so creating a keygen is impossible. It can generate short 32 char long codes too. And it supports various licenses like trials, activated, locked, etc