How to Generate and Validate a Software License Key

How to generate and validate a software license key?

Caveat: you can't prevent users from pirating, but only make it easier for honest users to do the right thing.

Assuming you don't want to do a special build for each user, then:

• Generate yourself a secret key for the product
• Take the user's name
• Concatentate the users name and the secret key and hash with (for example) SHA1
• Unpack the SHA1 hash as an alphanumeric string. This is the individual user's "Product Key"
• Within the program, do the same hash, and compare with the product key. If equal, OK.

But, I repeat: this won't prevent piracy

---

I have recently read that this approach is not cryptographically very sound. But this solution is already weak (as the software itself has to include the secret key somewhere), so I don't think this discovery invalidates the solution as far as it goes.

Just thought I really ought to mention this, though; if you're planning to derive something else from this, beware.

How are software license keys generated?

For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one.

INCORRECT WAY TO DO IT:

Starcraft and Half-life both used the same checksum, where the 13th digit verified the first 12. Thus, you could enter anything for the first 12 digits, and guess the 13th (there's only 10 possibilities), leading to the infamous 1234-56789-1234

The algorithm for verifying is public, and looks something like this:

x = 3;
for(int i = 0; i < 12; i++)
{
    x += (2 * x) ^ digit[i];
}
lastDigit = x % 10;

CORRECT WAY TO DO IT

Windows XP takes quite a bit of information, encrypts it, and puts the letter/number encoding on a sticker. This allowed MS to both verify your key and obtain the product-type (Home, Professional, etc.) at the same time. Additionally, it requires online activation.

The full algorithm is rather complex, but outlined nicely in this (completely legal!) paper, published in Germany.

Of course, no matter what you do, unless you are offering an online service (like World of Warcraft), any type of copy protection is just a stall: unfortunately, if it's any game worth value, someone will break (or at least circumvent) the CD-key algorithm, and all other copyright protections.

REAL CORRECT WAY TO DO IT:

For online-services, life is a bit simpler, since even with the binary file you need to authenticate with their servers to make any use of it (eg. have a WoW account). The CD-key algorithm for World of Warcraft - used, for instance, when buying playtime cards - probably looks something like this:

1. Generate a very large cryptographically-secure random number.
2. Store it in our database and print it on the card.
   
   
   Then, when someone enters a playtime-card number, check if it's in the database, and if it is, associate that number with the current user so it can never be used again.

For online services, there is no reason not to use the above scheme; using anything else can lead to problems.

How to generate a product license key which includes decodable product information

basically what you can do is: create a datastructure holding your information, encode that as bytes, pipe through a compression function if too large.

create a keypair for your favourite signing algo like RSA

sign the data structure / the compressed bytes

truncate the signature to a fitting size like the last X hex digits

ship the public key with your product

the longer the signature part, the harder to make a working keygen

it's more likely someone will replace you key or the checking logic in your binary, but yes... that's how you could do this...

Looking for a license key algorithm

There is no reliable licensing algorithm. Really. Not even one. For the most popular, most expensive proprietary software you can buy, you can also find "key generators" and hacked versions that don't require licensing.

Instead of worrying about making it "unbreakable", just do something simple. A popular mechanism is to, at purchase, ask for the user's name, and then give him a license key that's derived from a cryptographic hash (e.g. MD5 sum) of the user's name, or some variation on it. Then, in the software you ask for their name again, plus the registration key (that MD5-derived thing); you check to see that they match, which activates the software.

Can this be hacked? Absolutely. Once someone figures out how you're generating the license keys, they can generate their own. But if you keep a database of the "official" license keys you've generated so far, at least you'll be able to identify the fraudsters later on (perhaps when they try to download "premium" content or something).

But don't worry so much about stopping the hackers from cracking your code. It's going to happen, but they're such a tiny part of the market that it won't significantly affect your overall sales.

license keys generation method for software product

You can generate license files Public-Private key Cryptography, and using RSA.
Please look at this library, you can found this useful.
http://afewguyscoding.com/page/2/
This library people have also done survey, which will give you idea that how good this method works.

There is another github project using similar approach.
Visit https://github.com/starschema/slm4j

Generating / Validating License Key for C# Server Control

I cannot provide you an answer based on an existing framework. Here my solution

1. Basic idea: Use signatures like in emails. The signed data are the authorized URLs.
2. Create a public / private key pair using regular asymmetric cryptography (enough tutorials available).
3. Embed the public key in your compiled DLL.
4. When the control is rendered, load the license file, verify its signature using the embedded public key, verify the current accessing url against the provided urls found in the license file (which are protected by the signature).
5. On Success: Let it flow
6. On Failure: Add your message to output.
7. (For performance: Cache the authorization token in application data memory)
8. (For protection of the mechansim: apply a code obfuscator on the assembly)

Additional you need a tool to create the licenses using the private key (which is not part of the distributed assembly but just this tool.

Update: As I see you biggest concern is the creation of the license key:

1. Create a Windows Forms application
2. Create a text box which allows multiple lines
3. Each line can have one URL accepted.
4. Take all lines as text, using a StreamWriter (based on CryptoStream based on FileStream).
5. The CryptoStream uses the private key which was created before.
6. The FileStream is open to the license file you want to distribute.

Hope that helps!

How would you store a license key from ex.: Windows 10 or Steam in a Database?

I found an npm package called crypto that allows you to encrypt and descrypt data. I haven't tried it yet but I'll paste you the link i found here so you can go check by yourself.

https://attacomsian.com/blog/nodejs-encrypt-decrypt-data

---

Related Topics