How to generate and validate a software license key?

Question

I'm currently involved in developing a product (developed in C#) that'll be available for downloading and installing for free but in a very limited version. To get access to all the features the user has to pay a license fee and receive a key. That key will then be entered into the application to "unlock" the full version.

As using a license key like that is kind of usual I'm wondering :

How's that usually solved?
How can I generate the key and how can it be validated by the application?
How can I also avoid having a key getting published on the Internet and used by others that haven't paid the license (a key that basically isn't "theirs").

I guess I should also tie the key to the version of application somehow so it'll be possible to charge for new keys in feature versions.

Anything else I should think about in this scenario?

score 149 · Accepted Answer · edited Dec 10 '10 at 15:08

149

Caveat: you can't prevent users from pirating, but only make it easier for honest users to do the right thing.

Assuming you don't want to do a special build for each user, then:

Generate yourself a secret key for the product
Take the user's name
Concatentate the users name and the secret key and hash with (for example) SHA1
Unpack the SHA1 hash as an alphanumeric string. This is the individual user's "Product Key"
Within the program, do the same hash, and compare with the product key. If equal, OK.

But, I repeat: this won't prevent piracy

I have recently read that this approach is not cryptographically very sound. But this solution is already weak (as the software itself has to include the secret key somewhere), so I don't think this discovery invalidates the solution as far as it goes.

Just thought I really ought to mention this, though; if you're planning to derive something else from this, beware.

edited Dec 10 '10 at 15:08

Steven A. Lowe

60,273
18
132
202

answered Mar 01 '09 at 13:53

Brent.Longborough

9,567
10
42
62

One thing you can at least achieve is to force crackers to patch your application (i.e. no keygen without patch possible) by using some kind of signature, see my [answer](http://stackoverflow.com/questions/534215/how-to-get-unique-hardware-software-signature-from-a-windows-pc-in-c-c/534243#534243) – newgre Mar 01 '09 at 15:12
20

if the program includes the secret key (as implied by the steps above), cracking it is trivial – Steven A. Lowe Dec 08 '10 at 14:49
2

edited to be more obvious; cannot over-emphasize something that fundamental ;-) – Steven A. Lowe Dec 10 '10 at 15:09
35

Use an asymmetric cryptographic method (such as RSA) for generating and decoding the product key to avoid embedding the secret in the code. – Amir Moghimi Jun 19 '12 at 06:43
12

I would think that by the time someone is hacking your code (possibly at the assembly level) to find your secret key, they are probably also at the level that they can just bypass your checks entirely. I don't think there's a method of registration so secure that it can survive a good hacker running the program locally. As the original comment said, it's really all about anything that makes it one step harder than simply copying the file. A lot of games these days have given up on copy protection and simply take the game content online, in which case the code is out of the hacker's hands. – JamieB Dec 04 '12 at 22:56
2

Is it common to include restrictions in the license key? For example, time restraints, concurrent user count, modules to install, etc.? – Carlo Dec 04 '13 at 21:01
1

@Carlo Yes, that's possible. It makes things a bit more complex, but it still doesn't really protect you from a determined attacker. – Brent.Longborough Dec 04 '13 at 22:30
Thanks for the info. One more question. Is it common to create a separate application to create license keys for a product? Or (without necessarily going into much details) how is this aspect of the creation usually handled? – Carlo Dec 05 '13 at 21:11
@Carlo Your product could generate a registration code based on hardware ID. A remote server could provide an activation-code generation service based on registration code and other data. That activation code is then checked on your product. – Mauro Sampietro Mar 20 '15 at 10:51
@sam What makes you think that'll stop a hacker from bypassing the validation logic? All it will do is piss your honest user off when he can't get to the activation server, and when he can and he has to jump through your hoops.. – Brent.Longborough Mar 20 '15 at 15:11
@Brent.Longborough Nothing, in facts i was answering how to generate specific key licence. You probably did not read the last 2 comments before posting – Mauro Sampietro Mar 23 '15 at 07:47
Is there an existing off-the-shelf web service that handles the server side of this process? I set up an account for my product on the web service providing my products secret key. I get back a url that I give to my users where they can enter a username and provide payment and receive a product key which is a hash of their username + the secret key hashed by an algorithm I chose when setting up the account. – jwezorek Dec 02 '18 at 21:45
@jwezorek I'm sorry, I don't know. – Brent.Longborough Dec 05 '18 at 10:51
easy enough to use ECDSA or RSA signatures instead of hashing. same simple implementation, but more secure. – Erik Aronesty Feb 27 '19 at 22:49
@ErikAronesty As I said, this is not a secure solution. It's insecure whether or not you use "proper" crypto, as the keys have to be embedded somewhere in the executable. – Brent.Longborough Mar 02 '19 at 09:14
2

@Brent.Longborough there are many different kinds of security. with a pub key in the exe, there's no way to sell spoofed licenses. there's just no advantage to a hash method over pib/priv and all disadvantage. the priv key does not have to be in the exe – Erik Aronesty Mar 18 '19 at 15:13
@ErikAronesty OK, Erik, let's explore this further. Where is the private key, if not in the exe? – Brent.Longborough Mar 22 '19 at 17:15
3

@Brent.Longborough Only the author (or party which is generating licence keys) has it. Look up asymmetric cryptography. – Luke Jul 18 '19 at 19:00
So 11 years later, someone has, anonymously, voted this answer down. May I suggest you include a comment, so those 132 who have already upvoted the answer, and I, might better learn what's wrong? – Brent.Longborough Aug 03 '20 at 12:47
@AmirMoghimi How does asymmetric key help? Are you saying that the public key is distributed to the software to be licensed? Couldn't someone swap the pub key out and use a fake licensing server for it? – huggie Aug 04 '22 at 03:11

score 136 · Answer 2 · edited Dec 25 '12 at 14:21

There are many ways to generate license keys, but very few of those ways are truly secure. And it's a pity, because for companies, license keys have almost the same value as real cash.

Ideally, you would want your license keys to have the following properties:

Only your company should be able to generate license keys for your products, even if someone completely reverse engineers your products (which WILL happen, I speak from experience). Obfuscating the algorithm or hiding an encryption key within your software is really out of the question if you are serious about controlling licensing. If your product is successful, someone will make a key generator in a matter of days from release.
A license key should be useable on only one computer (or at least you should be able to control this very tightly)
A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the technical support because they don't understand if the key contains a "l" or a "1". Your support department would thank you for this, and you will have lower costs in this area.

So how do you solve these challenges ?

The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys should be in fact signed "documents", containing some useful data, signed with your company's private key. The signatures should be part of the license key. The product should validate the license keys with the corresponding public key. This way, even if someone has full access to your product's logic, they cannot generate license keys because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA, PRIVATE_KEY_ENCRYPTED(HASH(DATA)))) The biggest challenge here is that the classical public key algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have hundreds of characters. One of the most powerful approaches is to use elliptic curve cryptography (with careful implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm (patent expired in 2008 - good :) )
This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license key, you need to generate some "activation data" which is a signed message embedding the computer's hardware id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and the computer hardware id to an activation server, and the activation server sends back the signed message (which can also be made short and easy to dictate over the phone). From that moment on, the product does not check the license key at startup, but the activation data, which needs the computer to be the same in order to validate (otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation data with the public key already embedded in the product.
Well, just eliminate redundant characters like "1", "l", "0", "o" from your keys. Split the license key string into groups of characters.

Couldn't they just edit the software adding/removing code such that the check is skipped totally? — Pacerier, Nov 13 '14 at 18:55
Does the answer to number 1 necessitate an online activation/deactivation service essentially? — Dan W, Oct 31 '15 at 08:42
I would like to point out how vastly superior this answer is to the other hashy thing. — Erik Aronesty, Feb 27 '19 at 22:50
@Pacerier There are many things license keys protect software companies from. Modifying the exe is not one of them. — Erik Aronesty, Mar 18 '19 at 15:14
It's worth noting that even with assymetric cryptography private/public keys, it's still possible to generate fake licenses, by simply replacing the public key shipped in the software with another public key, and using its corresponding private key for signing the fake license. This is why we have and need trusted Certificate Authorities BTW, who bind public keys to identities. So while this might add one more hoop to jump through, it doesn't by itself guarantee #1. — Saeb Amini, Dec 14 '19 at 05:31
@Saeb Amini, trusted Certificate Authorities would secure the public key only the user would not have ability to add new certificates to the store. The hacker could register his certificate as trusted CA, replace the public key in the program with the one signed by his certificate. This makes the hacking just a little bit harder. — Julius Tuskenis, Jun 16 '21 at 07:40
I can think of one improvement to step #2: The server, upon receiving the "activation data" should concatenate the SHA256 hash of the (known good) public key certificate then sign the data. The client side should do the same upon verification with the public key it has and will be using to verify the signature. This should eliminate the possibility of the attack that replaces the key, thereby leaving only one avenue of attack left: Bypassing/short circuiting the software license check all together. You can add a SHA256 of the application to the activation data, but this wont prevent bypassing. — Adam White, Mar 19 '22 at 22:31
@Pacerier I think the benefit of having a secure license key vs modifying the EXE is that it means the hacker would have to distribute the illicitly modified software instead of just distributing the keys they generated themselves. If your EXE is signed that seems like a pretty significant advantage. — StayOnTarget, Sep 09 '22 at 18:34
@SaebAmini replacing the key seems like a similar effect as just modifying the EXE to skip the license check altogether. — StayOnTarget, Sep 09 '22 at 18:34

score 88 · Answer 3 · edited Sep 03 '21 at 12:23

88

Simple answer - No matter what scheme you use it can be cracked.

Don't punish honest customers with a system meant to prevent hackers, as hackers will crack it regardless.

A simple hashed code tied to their email or similar is probably good enough. Hardware based IDs always become an issue when people need to reinstall or update hardware.

Good thread on the issue: http://discuss.joelonsoftware.com/default.asp?biz.5.82298.34

edited Sep 03 '21 at 12:23

rahulroy9202

2,730
3
32
45

answered Mar 01 '09 at 13:45

schooner

3,047
8
30
39

5

agreed, you don't want to upset the users that are actually purchasing your product! (pay heed m$, apple, etc...) – Jason Mar 01 '09 at 15:02
4

MS, Apple, etc can get away with it as they are big and provide core products that is hard to get elsewhere or have a large market shadow they can use to force people. The small dev can't. – schooner Mar 01 '09 at 15:38
4

a pub/priv key signing scheme cannot be "cracked" to produce new valid keys for users who want to run signed code downloaded from the publishers site, instead of cracked software. whereas a hash/symmetric scheme can be cracked to produce new valid license keys indistinguishable from invalid ones. Huge difference. – Erik Aronesty Mar 18 '19 at 15:16
2

Thread link is now dead. Here is archived version -> https://web.archive.org/web/20181006064951/http://discuss.joelonsoftware.com/default.asp?biz.5.82298.34 – Tim Holt Jan 28 '21 at 22:51

score 65 · Answer 4 · answered Mar 01 '09 at 14:06

65

When generating the key, don't forget to concatenate the version and build number to the string you calculate the hash on. That way there won't be a single key that unlocks all everything you ever released.

After you find some keys or patches floating in astalavista.box.sk you'll know that you succeeded in making something popular enough that somebody bothered to crack. Rejoice!

answered Mar 01 '09 at 14:06

shoosh

76,898
55
205
325

12

"don't forget to concatenate the version and build number to the string you calculate the hash on" - but won't that make the key break when the user updates to a minor patch release? – thomthom Sep 24 '15 at 22:17
5

@thomthom How about then to associate a maximum version to a key? The version idea itself is plausible and adds more security – Marvin Thobejane Oct 27 '15 at 07:05
2

@MarvinThobejane to associate a max ver you can sign the max ver allowed, and have the code iterate it's version a bit. but no >= ops allowed in sigs. – Erik Aronesty Feb 27 '19 at 22:52
1

For expensive software, they just send you a new license file every six months when they send out the upgrade announcement. – Rick May 05 '21 at 13:31

score 30 · Answer 5 · answered Aug 25 '18 at 16:50

I'm one of the developers behind the Cryptolens software licensing platform and have been working on licensing systems since the age of 14. In this answer, I have included some tips based on experience acquired over the years.

The best way of solving this is by setting up a license key server that each instance of the application will call in order to verify a license key.

Benefits of a license key server

The advantages with a license key server is that:

you can always update or block a license key with immediate effect.
each license key can be locked to certain number of machines (this helps to prevent users from publishing the license key online for others to use).

Considerations

Although verifying licenses online gives you more control over each instance of the application, internet connection is not always present (especially if you target larger enterprises), so we need another way of performing the license key verification.

The solution is to always sign the license key response from the server using a public-key cryptosystem such as RSA or ECC (possibly better if you plan to run on embedded systems). Your application should only have the public key to verify the license key response.

So in case there's no internet connection, you can use the previous license key response instead. Make sure to store both the date and the machine identifier in the response and check that it's not too old (eg. you allow users to be offline at most 30 days, etc) and that the license key response belongs to the correct device.

Note you should always check the certificate of license key response, even if you are connected to the internet), in order to ensure that it has not been changed since it left the server (this still has to be done even if your API to the license key server uses https)

Protecting secret algorithms

Most .NET applications can be reverse engineered quite easily (there is both a diassembler provided by Microsoft to get the IL code and some commercial products can even retrieve the source code in eg. C#). Of course, you can always obfuscate the code, but it's never 100% secure.

I most cases, the purpose of any software licensing solution is to help honest people being honest (i.e. that honest users who are willing to pay don't forget to pay after a trial expires, etc).

However, you may still have some code that you by no means want to leak out to the public (eg. an algorithm to predict stock prices, etc). In this case, the only way to go is to create an API endpoint that your application will call each time the method should be executed. It requires internet connection but it ensures that your secret code is never executed by the client machine.

Implementation

If you don't want to implement everything yourself, I would recommend to take a look at this tutorial (part of Cryptolens)

One question about restricting the saved license key to not being too old: Since the PC might not be connected to the internet, their date and time can always be changed back to stay on the same valid date? — Amir Mahdi Nassiri, May 08 '20 at 17:33
Can't users bypass the online license server by defining a loopback host in Windows? I've seen many applications being pirated like that, Resharper and Matlab being the ones that I can remember. — Amir Mahdi Nassiri, May 08 '20 at 17:35
@AmirMahdiNassiri For question 1: If the PC is permanently offline, you could use a real-time clock (RTC) dongle as a trusted source for time. For question 2: Since the response is signed with vendor's private key (and verified with the public key inside the application), an adversary would need to re-sign the file without knowing the private key,which, at the time of writing, is not possible with 2048bit RSA keys. — Artem, May 10 '20 at 12:56
@Artem The public key is part of the application binary? Is it possible that it may be swapped out for another public key and just make a feign license server with the corresponding private key? — huggie, Aug 04 '22 at 03:23
@huggie That's right, the public key is part of the application binary. You are right that it can be swapped by an adversary. To prevent this, I would recommend to obfuscate the application. This will make it difficult but not impossible for an adversary to swap the public key. For sensitive code, I would recommend to expose it through an API endpoint that the application can access. — Artem, Aug 05 '22 at 13:25
This should be the accepted answer. Thanks for the details here. — Anthony V, Aug 06 '23 at 12:37

score 27 · Answer 6 · answered Mar 01 '09 at 17:56

27

Besides what has already been stated....

Any use of .NET applications are inherently breakable because of the intermediate language issues. A simple disassembly of the .NET code will open your product to anyone. They can easily bypass your licensing code at that point.

You can't even use hardware values to create a key anymore. Virtual machines now allow someone to create an image of a 'licensed' machine and run it on any platform they choose.

If it's expensive software there are other solutions. If it's not, just make it difficult enough for the casual hacker. And accept the fact that there will be unlicensed copies out there eventually.

If your product is complicated, the inherent support issues will be create some protection for you.

answered Mar 01 '09 at 17:56

11

+1 for preventing weakness on Hardware values because of Virtual Machines. – Rubens Mariuzzo Jan 02 '12 at 16:36
3

That's what strong-naming for .NET and Authenticode for PE signing is for. If someone has decompiled, modified and rebuilt your library it won't be signed and the application will simply not run. The .NET virtual machine won't allow it. – Stephen Tunney Jul 30 '15 at 00:01
2

Signing is for validating the origin of the program you will run. If the user dont care about the origin because he know it is modified and cracked, the cracker would strip out the signature, or even sign it with his own signature. Signing does stop mixing trustable assemblies with untrustable assemblies. – jesusduarte Feb 19 '16 at 18:37
a mobile app can be used as a jury-rigged hardware dongle for expensive software.... just pay using the app, and embed a signing key in the app's secure element. then you can activate using the desktop + app... deactivating the other desktop. colocating some critical section code areas in the app and/or in online homomorphic computation services can help prevent trivial decompilation. – Erik Aronesty Feb 27 '19 at 22:57

gbro3n · Answer 7 · 2015-01-20T11:35:38.130

11

The C# / .NET engine we use for licence key generation is now maintained as open source:

https://github.com/appsoftware/.NET-Licence-Key-Generator.

It's based on a "Partial Key Verification" system which means only a subset of the key that you use to generate the key has to be compiled into your distributable. You create the keys your self, so the licence implementation is unique to your software.

As stated above, if your code can be decompiled, it's relatively easy to circumvent most licencing systems.

edited Jan 20 '15 at 11:35

answered May 09 '13 at 21:21

gbro3n

6,729
9
59
100

1

Would you be willing to do a tutorial for using this product? I found their wiki a bit lacking. – Anthony Ruffino Nov 11 '14 at 19:29
The project has now been open sourced on GitHub if that helps (answer edited with link). – gbro3n Jan 20 '15 at 11:36
I do not recommend Partial Key Verification. It can be broken and when it breaks, it does so catastrophically (https://keygen.sh/blog/how-to-generate-license-keys-in-2021/). I recommend using secure public key cryptography, like EdDSA or RSA. – ezekg Apr 03 '22 at 01:31

score 6 · Answer 8 · answered Jan 08 '15 at 07:01

6

I strongly believe, that only public key cryptography based licensing system is the right approach here, because you don't have to include essential information required for license generation into your sourcecode.

In the past, I've used Treek's Licensing Library many times, because it fullfills this requirements and offers really good price. It uses the same license protection for end users and itself and noone cracked that until now. You can also find good tips on the website to avoid piracy and cracking.

answered Jan 08 '15 at 07:01

panpernicek

657
6
11

Would public key cryptography necessitate using an online activation service? I mean, if it's not in the source code (I presume you mean the executable as well), where else could it be? – Dan W Oct 31 '15 at 09:21
No, you don't have to use online activation service. You can generate license files completely offline. – panpernicek Nov 10 '15 at 12:24
1

The key is in the fact, that you're placing only public key to code, which can't be used for license generation. Only for its verification. – panpernicek Nov 10 '15 at 15:29

score 6 · Answer 9 · answered Mar 01 '09 at 17:11

6

I don't know how elaborate you want to get

but i believe that .net can access the hard drive serial number.

you could have the program send you that and something eles ( like user name and mac address of the nic)

you compute a code based off that and email them back the key.

they will keep them from switching machines after they have the key.

answered Mar 01 '09 at 17:11

Crash893

11,428
21
88
123

5

And keep them from replacing a dead HD amoung other thigns, leading to frustration. There is no easy answer unfortunately, you need to balance trust with basic licensing mechanicsms. – schooner Mar 01 '09 at 17:55
Worked many years as a software engineer with a product that used the serial number off the hd, it was completely insecure to those that knew how to update it. – oden Mar 05 '16 at 05:18
I was implying to use this number with other things (mac address, FQDN ) maybe throw them all in a hash. The point is to make it slightly more difficult to spoof all this data than it is to reverse enginer the software in the first place and remove the check becuase thats always an option. – Crash893 Mar 16 '16 at 01:05

score 5 · Answer 10 · answered Mar 01 '09 at 13:43

5

I've used Crypkey in the past. It's one of many available.

You can only protect software up to a point with any licensing scheme.

answered Mar 01 '09 at 13:43

Mitch Wheat

295,962
43
465
541

score 4 · Answer 11 · answered May 12 '13 at 01:43

4

I've implemented internet-based one-time activation on my company's software (C# .net) that requires a license key that refers to a license stored in the server's database. The software hits the server with the key and is given license information that is then encrypted locally using an RSA key generated from some variables (a combination of CPUID and other stuff that won't change often) on the client computer and then stores it in the registry.

It requires some server-side coding, but it has worked really well for us and I was able to use the same system when we expanded to browser-based software. It also gives your sales people great info about who, where and when the software is being used. Any licensing system that is only handled locally is fully vulnerable to exploitation, especially with reflection in .NET. But, like everyone else has said, no system is wholly secure.

In my opinion, if you aren't using web-based licensing, there's no real point to protecting the software at all. With the headache that DRM can cause, it's not fair to the users who have actually paid for it to suffer.

answered May 12 '13 at 01:43

jugg1es

1,560
18
33

1

But the main problem with web licensing is that the licensing service becomes a prime target for DDoS attacks.. Which either paralyze the service or inflate cloud costs. – Tadas S Jul 10 '14 at 16:23
5

That's like saying that there's no point in having a website because it's vulnerable to DDoS attacks... – jugg1es Jul 12 '14 at 17:58
@jugg1es Nowhere in his comment did he say "there's no point". He simply pointed out the fact that it's a vulnerability that should be considered. – Dan Bechard Dec 08 '14 at 14:39
And the checks can still be removed in the client. No check, no webbased licensing... – azarai Dec 26 '14 at 16:03
@azarai no that's not right. if the check obtains some required information that gets encrypted and written to the system, by-passing the check isn't enough. You'd have to first have a decrypted legitimate license as a baseline and then either somehow figure out how the encryption is being done locally and generate a valid license and then encrypt it using the correct seed or use some kind of clever buffer overflow hack to bypass the activation routines. – jugg1es Dec 27 '14 at 03:37
1

Do you mean actual application code with "required information"? Code that would be necessary to run the app? Otherwise i'd think it will still result in calling isLicensed check methods in ones code. – azarai Dec 27 '14 at 17:47

score 4 · Answer 12 · answered Apr 10 '18 at 20:20

You can use a free third party solution to handle this for you such as Quantum-Key.Net It's free and handles payments via paypal through a web sales page it creates for you, key issuing via email and locks key use to a specific computer to prevent piracy.

Your should also take care to obfuscate/encrypt your code or it can easily be reverse engineered using software such as De4dot and .NetReflector. A good free code obfuscator is ConfuserEx wich is fast and simple to use and more effective than expensive alternatives.

You should run your finished software through De4Dot and .NetReflector to reverse-engineer it and see what a cracker would see if they did the same thing and to make sure you have not left any important code exposed or undisguised.

Your software will still be crackable but for the casual cracker it may well be enough to put them off and these simple steps will also prevent your code being extracted and re-used.

https://quantum-key.net

How to use ConfuserEx?

https://github.com/0xd4d/de4dot

https://www.red-gate.com/dynamic/products/dotnet-development/reflector/download

score 4 · Answer 13 · answered Mar 01 '09 at 13:46

4

The only way to do everything you asked for is to require an internet access and verification with a server. The application needs to sign in to the server with the key, and then you need to store the session details, like the IP address. This will prevent the key from being used on several different machines. This is usually not very popular with the users of the application, and unless this is a very expensive and complicated application it's not worth it.

You could just have a license key for the application, and then check client side if the key is good, but it is easy to distribute this key to other users, and with a decompiler new keys can be generated.

answered Mar 01 '09 at 13:46

Marius

57,995
32
132
151

6

i worked at a company that used an internet based licensing scheme. every time the program started it went online to validate, i think the company spent more $$ on infrastructure and developers for their licensing solution than they would've lost from piracy (they were a niche product). – Jason Mar 01 '09 at 15:05
3

furthemore, the technical support costs were huge. many, MANY times a user would legitmately use another computer to try and run the software but the hash was different which led to massive amounts of tech support. in short, what schooner said - don't punish honest users. – Jason Mar 01 '09 at 15:07
1

It seems your company was a little overzealous by requiring validation on startup every time. – jugg1es May 12 '13 at 01:44
@Jason, Well, they should up the price of the product. – Pacerier Nov 13 '14 at 18:56
2

@Pacerier: Wrong answer. – Lightness Races in Orbit Nov 23 '17 at 18:46
Couldn’t a hacker disable the check as they would for checking a certificate? – Ian Warburton Oct 07 '19 at 22:42

score 3 · Answer 14 · answered Oct 27 '22 at 20:14

I know this is an old question, but I referenced this when I was re-writing my licensing process for one of my applications.

After reading a lot of opinions out there and relying on past experience with license codes I came up with this process.

public static class LicenseGenerator
{
    private static string validChars = "ACEFHJKMNPRSTUVWXYZ234579";
    private static Random rnd = new Random(Guid.NewGuid().GetHashCode());

    /// <summary>
    /// Generate a license code
    /// </summary>
    /// <param name="length">length of each phrase</param>
    /// <param name="number">number of phrases separated by a '-'</param>
    /// <returns></returns>
    public static string GetNewCode(int length, int number)
    {
        string license = string.Empty;

        for (int numberOfPhrases = 0; numberOfPhrases < number; numberOfPhrases++)
        {
            license += getPhrase(length);
            if (numberOfPhrases < number)
                license += "-";
        }

        return license.TrimEnd('-');
    }

    /// <summary>
    /// generate a phrase
    /// </summary>
    /// <param name="length">length of phrase</param>
    /// <returns></returns>
    private static string getPhrase(int length)
    { 
        string phrase = string.Empty;

        for (int loop = 0; loop < length; loop++)
        {
            phrase += validChars[rnd.Next(validChars.Length)];
        }

        return phrase;
    }
}

You really don't want to provide a code that has similar letters; it makes for a mess when the end user goes to enter it in. Letters like 6 and G, B and 8, L, I, and 1. Of course if you do want them, you can always add them back in... The above code will generate a license like xxxx-xxxx-xxxx-xxxx using the characters in "validChars". Calling GetNewCode(4, 4) will return a code like above.

I'm using Azure functions to register then validate the code. When my app registers the code, it generates an encrypted hash with things that are unique to the install, device and/or user. That is provided to the registration function and is stored with the key in the DB in Azure.

The validate regenerates the key and provides it with the license code, IP address (which in my case will not change and if it does then it will need to be updated anyway), and the regenerated hash then the Azure function returns if the application is licensed. I do store a "temporary" key on their server that allows the app to run for a period of time without talking back up.

Of course, my app must be on the net for it to work regardless.

So, the end result is a simple key for the end user to type in and an easy process to manage the license on the backend. I can also invalidate a license if need be.

score -6 · Answer 15 · answered Feb 18 '21 at 19:06

-6

I solved it by interfacing my program with a discord server, where it checks in a specific chat if the product key entered by the user exists and is still valid. In this way to receive a product key the user would be forced to hack discord and it is very difficult.

answered Feb 18 '21 at 19:06

Maxwell

29
1
4

This is a terrible idea, don't do this! Besides using Discord as a glorified database, all it takes is a single server/bot misconfiguration or change to Discord's API to completely break or defeat your validation. Also, given that webhooks can't read messages, this method would likely require embedding your client tokens in the program itself, which are extremely easy to intercept. Sure, you could proxy requests to Discord through something like API Gateway or your own server, but at that point, why not just use an actual database? – Hoppeduppeanut Apr 28 '21 at 06:27
Aside from the completely valid points mentioned by @Hoppeduppeanut A hacker could use something like Fiddler to see the urls that you are requesting on discord then put an entry in the windows hosts file to redirect requests made to discord to their own server or localhost where they've put a copy of the discord page with any product key they want embedded within it. – Damo Mar 20 '23 at 11:03

How to generate and validate a software license key?

15 Answers15

Benefits of a license key server

Considerations

Protecting secret algorithms

Implementation

Linked

Related