1

I am trying to add software licensing to my software, which I am planning to sell (which means if the license if correct, give access to the software. Else, break the access). I don't have any servers, so unable to connect to them. I am going to use one of paid online service to sell my software ( I don't like to use their server support for licensing too, because it is time for me to get some break ). So, I decided to use client side validation. Anyway, I am in a confuse of how to generate the license(the license algorithm) and how to validate it (according to license algorithm). I can do it in my way, but don't like to mess with this security issue, so decided to take your expertise help. Please tell me/show me/give examples for how to create this License Generator, and Validator. And, if you are posting an example with an algorithm, please be kind enough to explain it if you think it is complex. Because then only I can create one of my own

Apart from that, I am having another doubt. That is, is that is OK to have only 1 license key for an software? So it can be hardcoded to the software without any issue.

Please help..

PeakGen
  • 21,894
  • 86
  • 261
  • 463
  • Any kind of algorithm can be broken: it is a lot harder to break an online verification check (which you'll have to make hard to spoof). I would also like to link http://stackoverflow.com/a/454541/248065, where it states how easy it is to bypass a normal check for being activated or not. – Thom Wiggers May 13 '12 at 17:55
  • @TheGuy Well RSA and co are hopefully unbreakable (ok nitpicking it is). The problem is more that as you then point out, it's just so ever easy to not do any checks. The only real solution there is to put all the business logic on the server side which basically means write a web application. Most important: Independent of what you do, please don't make the application easier and better to use for pirates :/ – Voo May 13 '12 at 18:02
  • I'm pretty sure you'll get a lot more collisions when you shorten it into a 21174-324242-8327429-2384727 format. – Thom Wiggers May 13 '12 at 18:09
  • OK, Thanks for your comments, I really appreciate it. @TheGuyOfDoom: In your last comment, you mean hard coded license could be a less protected tging? – PeakGen May 14 '12 at 14:15

3 Answers3

4

Use a public key cryptosystem. The app only needs to include the public key of the license signing authority, so it doesn't have the key needed to generate new licenses (only you will have that). The signed document can list any optional features which should be enabled/disabled. A tutorial with example code for signing files and verifying signatures is here: http://docs.oracle.com/javase/tutorial/security/apisign/index.html

James Youngman
  • 3,623
  • 2
  • 19
  • 21
0

As @James Youngman said - PPK is the way to go. If you want a shortcut for using this, see TrueLicense.

At least, take a look at the design considerations to get a glimpse of what you must take care of if you want to start this one on your own

mtraut
  • 4,720
  • 3
  • 24
  • 33
0

Actually any protection can be cracked. The question is how much efforts a hacker needs to apply.

Having 1 a hard-coded key probably is the worst solution you can pick as far as the key can be shared easily. The key should be f(system_id) so key-sharing will not work.

Having a hard-coded key validation is not good as well. A hacker will just copy/paste this part of code to a keygen.

Better solution is checking the key on server side as http://activation-cloud.com does. But it is only C++ at the moment.

ChatCloud
  • 1,152
  • 2
  • 8
  • 22
  • 1
    The right thing to do here would have been to point out the author's affiliation with activation-cloud.com when recommending it. – James Youngman Aug 24 '14 at 11:52