cencryptionrsa-key-fingerprint

Poor man serial number generation scheme


I would like to get some simple scheme / algorithm for generating serial numbers based on some unique hardware id (cpu id or ethernet mac address or hard disk serial number).

I would like scheme to work only in one direction - so application on client machine can verify serial number but not generate one. (So it would not be simple to crack).

Now most probably most of you will recommend some sort of RSA public / private key pair encryption, which can work reliably enough - client does not have private RSA key, so he cannot "generate" serial number.

But main problem with RSA signature is that it's too big - it's signature size is 128 or 256 bytes depending on RSA key size (RSA signature size?)

Ok, now you will probably say that this kind of protection is not good enough against brute force kind of hacking - where you simply try out all combinations in order to determine correct serial number.

But I would say that typically you need to hire "expensive" hacker or hacker team to create such brute force cracking application.

Also I think it's possible to change serial number generation algorithm for next versions of application, or use multi-round passing to slow down brute force dramatically.

As a base I would prefer to use plain C or C++ (not C#), preferably Windows / wincrypt.h or any existing plain C source code (Preferably not huge 3-rd party libraries).

Is it possible to create RSA public / private key pair so signature size would be 32 characters long ?


Solution

  • You might want to check out ECDSA.

    ECDSA is a public key algorithm like RSA, but with a shorter key and signature size than RSA to provide the same level of effective security. ECDSA is based on a elliptic curve cryptography. Both the integer factorization problem used in RSA and elliptic curve used in ECDSA reduce to discrete logarithm problem, which is believed to be difficult to solve.

    For example, for a security level the same as 1024-bit RSA, which is estimated to have approximately 80-bit of security, you can use a 160-bit ECDSA key, which produces a 320-bit signature. You can base64 encode a 320-bit signature into a 54 characters string or ascii85 encode into a 50 characters string.

    Alternatively, if you want to keep 32-characters with base64 encoding, which can hold at most 192-bit of data, you can use ECDSA with 96-bit key size. The effective strength of 96-bit ECDSA is 48-bit, which is generally not strong enough for proper encryption, but in your case it may still be easier for the attacker to reverse engineer the program to remove your license key checks rather than trying to generate a forged key.