Encryption Algorithms that can be decoded in the program C#

Question

I'm looking to create myself a licensing system and I am looking at different encryption algorithms to create a key.

My first step is to base64_encode 3 different strings so for example:

Name-Expiry-NumberPcs turns to -> TmFtZS1FeHBpcnktTnVtYmVyUGNz

But then I would want to encrypt that to something else, but it must all be decoded within the program to be able to provide information.

Another thing that needs to be considered is that I will be using PHP to encode the keys to provide to customers from an online system where they can enter the key into the C# program.

Any thoughts?

Answer 1

You don't want a hash, since by hashes are one way. You want some kind of encryption. And unless you use asymmetric crypto your encryption will effectively be only an obfuscation since you put the key in a location where the user can access it.

In your case you could first UTF8 encode the string to get an array of bytes. Then encrypt that array with AES which gives you another byte array. And finally encode that encrypted data using Base64 to get a human readable string.

But since you need to embed the key into the client any moderately competent cracker will be able to write a keygen for your program.

You could use asymmetric crypto to avoid the embedded key problem. But that leads to really long license keys. It prevents keygens, but not cracks.

I recommend using third party software for your licensing stuff. Or perhaps just leave it out entirely since it will get cracked unless your software is so uninteresting that nobody bothers.

Answer 2

Hashing is an one-way operation: you cannot decode the hashed value.

What you probably want to do here is verify the hash: create a brand new hash when your program runs on the client's system using "live" parameter values, and verify that the generated hash is equal to the one you have given to the client as a key.

This means that you wouldn't be able to include in the hash any information you cannot reliably discover when your program is running on the client. Unfortunately, "expiry date" and "number of pcs" fall into this category.

If you need to verify such information, then hashing is unsuitable and you will need to encrypt instead. Encryption comes in two flavors: symmetric and assymetric.

Symmetric encryption means that the secret key has to be known to your application so that it can decrypt the validation code, which in turn means that anyone with moderate working knowledge of how such things work will be able to crack it and generate any validation code they want.

In asymmetric encryption you have a private key (with which to encrypt) and a public key with which to decrypt. There is no problem if you make this public key available to everyone, so with this approach one cannot make a keygen for your program.

Of course this doesn't mean that your app will be safe from cracking, as it's really quite easy to modify the code of a managed application to skip the code validation entirely.

The question you have asked is really a can of worms, and there is no definitive answer to it. You might want to take a look at this question: https://stackoverflow.com/questions/5132943/licensing-system-for-net and follow the dozens of links to similar questions here on SO.

Answer 3

I've done SHA256 in C# (see System.Security.Cryptography). However, I don't believe a hash is supposed to be decodable. The intent is to hash something sensitive (like a password) and then apply that same hash routine to another value and compare the two hashes.

You appear to be looking for an encryption algorithm (AES for example). This is also available in System.Security.Cryptography as are a number of other algorithms.

Answer 4

Out of the box, .NET provides a hefty library of security algorithms that conform to standard cryptography. Check out the documentation on System.Security.Cryptography and choose the algorithm that best suits you.

The Convert class has static methods to convert strings to and from Base64, so there again, you have no problems in .NET as far as you're concerned.

I think you're covered pretty good. Just be sure that you choose something that you're comfortable with. And understand that when you choose a hashing algorithm, you're not going to be able to "unhash" the output, only compare.

Answer 5

A "hash", as per definition, cannot be decoded, althought some brute force hacking is possible.

If you need to decode your code, you must use a 2 way algorithm (such as AES or DES).

If you don't really to decode, but just check if your stored hash matches the user input, then you must encode the user input using the same algorithm that was used for the stored hash and check if they match (this is the common approach used for passwords)