algorithmsoftware-distributionproduct-key

Secure algorithm for creating license keys?


I would like to distribute an application, but have license key that they can enter to unlock. What is a good algorithm to create a concise key that contains information about what version they have purchased, as well as additional things such as duration of license, etc.

I realize this protection can be cracked, but it keeps honest people honest. I may or may not implement online activation, but I am mainly concerned with a good way to generate these keys.

We have all seen this situation, what algorithm works best? Should I ask for a plaintext name of the user and use that to create a unique product key based off of their own information?

Is there a system that can be used to make it near impossible to generate a valid key?

Perhaps a public/private keypair encryption situation where only the manufacturer has the private key and the data can be validated by a public key, but the public key cannot be hijacked to create valid keys.

As this is a product key, it would be great if it were fairly short, 64 characters or maybe 128 max, but the shorter the better, 32 or less would be great.


Solution

  • You didn't say what platform you are on, but here's one in Microsoft .Net:

    Really Simple Licensing Scheme for .NET

    This page documents a very simple licensing scheme that you can use with your .NET application. It is intended to be fairly secure, easy to implement and easy to extend. The sample version allows you to provide license files with a client name embedded in them but you can easily extend it to add other identifying information, machine bindings, expiry dates, etc.

    This scheme makes use of Microsoft's RSA library and XML Signing. Basically you put whatever you want into an XML Document and sign that document. Then you can provide that file to your customer and the application can read the license information out of that file. Since the file is digitally signed the license file can NOT be tampered with unless you release your private key (which you really shouldn't do).