.NET cryptography for licence keys?

Question

I want to create a license key, which cryptography algorithm would you recommend?

Basically the inputs would be:

company name
major version number
date created
expirey date
has feature1:
has feature2:
has feature3:

e.g. Acme Inc 5.0 20081102 20081102 0 1 0

Related: Which built-in .NET cryptography algorithm is the most secure?

There are related questions on SO: http://stackoverflow.com/questions/79064/cryptography-algorithm and http://stackoverflow.com/questions/179220/best-cryptography-algorithm and http://stackoverflow.com/questions/258721/which-built-in-net-crypotgraphy-algorithm-is-the-most-secure — Thomas Owens, Nov 03 '08 at 15:43
Why was this closed? The other questions does not answer this and ASDFdotASPX's other question was much more general. — Rasmus Faber, Nov 03 '08 at 16:31
Reopened. It's similar to, but not a duplicate of, the links that I provided. — Thomas Owens, Nov 03 '08 at 17:20
This is seriously a misunderstood question. The guy isn't asking how to hide communication from the NSA. — Echostorm, Dec 24 '08 at 15:21
I use SLP server.. it's a former Microsoft product, now sold here: http://www.inishtech.com/software-licensing-and-code-protection-products-for-net-developers/SLP-Server.aspx — makerofthings7, Jan 19 '11 at 22:43

score 11 · Answer 1 · edited Oct 22 '13 at 15:09

11

I would recommend: Don't spend too much time on securing your keys. With byte compiled languages it is very easy to decompile and just make the application skip the validation step. No matter how secure your keys are, they don't matter when your validation function always return true. Serial keys are there to keep honest people honest.

edited Oct 22 '13 at 15:09

oo_dev

777
7
20

answered Nov 04 '08 at 13:18

Hamza Yerlikaya

221
1
2
5

Ha, ha, ha, "***very easy** to decompile and just make the application skip the validation step*". Since it's very easy, go ahead, crack us the latest version of HP Loadrunner, or the latest version of [Burp Suite](https://portswigger.net/burp/download.html) and show us it's **very easy** to do so. A blogpost as proof would be sufficient, for example [here's one for a (very) old version of Burp Suite](http://blog.nibblesec.org/2013/01/anti-debugging-techniques-and-burp-suite.html). The **real** question is, how many valuable programs have you reverse engineered? – Pacerier Apr 13 '16 at 17:41
"*Serial keys are there to keep honest people honest..*" **Wrong**. Honest people don't need serial keys to be honest, a msgbox like "don't use this feature unless you pay me first" would be sufficient. **Serial keys are there to keep dishonest people honest.** Dishonest, but *cheap*. [Security is an economics problem](https://www.google.com/search?q=economics+of+security) first, then a technological problem second. – Pacerier Apr 13 '16 at 17:41

score 8 · Answer 2 · answered Nov 03 '08 at 18:11

If you are doing validation on the customer-side, you want to use asymmetric encryption. That way you do not have to distribute the private key to the customer. I would generate a RSA signature using SHA-256 and a 2048 bit key. If you do that, the cryptographic operations will not be the weak link. A cracker could of course change the code to skip the verification step, but no cryptographic algorithm will help that.

If you are doing validation server-side, I would choose a SHA-256 based HMAC.

Remus Rusanu · Answer 3 · 2010-02-23T21:03:15.633

For a license key you are not so much interest in encrypting it, but on signing it. By signing it you can validate that the expiry date and enabled feature list was not tampered with. There is no need to hide (encrypt) the license key, as there is no threat you want to mitigate by hiding the license from the end user.

Cryptographic signatures are done by hashing the license and then encrypting the hash with a private key. Since anyone can decrypt that hash using the corresponding public key, anyone can verify if the license was tampered with.

The basic CryptoAPI function to sign and verify are CryptSignHash and CryptVerifySignature, see Example C Program: Signing a Hash and Verifying the Hash Signature.

The .Net Framework equivalent are the RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter classes.

Stefan Steiger · Answer 4 · 2010-03-26T07:35:54.743

1

You need to do 4 things:
No 1: Checksum your application (MD5, with custom md5 context)
- MD5 context needs to be encryptedly initialized
- Compare agains private/public key encrypted checksum
No 2: Checksum your running application's text segment
No 3: Use 4096-Bit RSA Private-Public key encrypting for the license
No 4: Encrypt any crucial strings, like "Wrong key" or "Key ok"

edited Mar 26 '10 at 07:35

answered Feb 23 '10 at 08:00

Stefan Steiger

78,642
66
377
442

MD5 is a broken hash algorithm and should not be used – Nayef Aug 31 '15 at 16:08

score 0 · Answer 5 · answered Nov 07 '08 at 14:14

If you would like to see an example of Triple DES encryption, you can take a look at my blog post on encrypting data in a database.

The blog post contains a video and the source code.

Although it focuses on encrypting string columns in the database, you can definitely modify it to work with licensing fields.

The source code is written in C# and uses Triple DES algorithms.

.NET cryptography for licence keys?

5 Answers5

Linked