Reputation:
.NET cryptography for licence keys?
I want to create a license key, which cryptography algorithm would you recommend?
Basically the inputs would be:
company name
major version number
date created
expirey date
has feature1:
has feature2:
has feature3:
e.g. Acme Inc 5.0 20081102 20081102 0 1 0
Related: Which built-in .NET cryptography algorithm is the most secure?
Upvotes: 15
Views: 6096
Answers (5)
Reputation: 221
I would recommend: Don't spend too much time on securing your keys. With byte compiled languages it is very easy to decompile and just make the application skip the validation step. No matter how secure your keys are, they don't matter when your validation function always return true. Serial keys are there to keep honest people honest.
Upvotes: 11
Reputation: 82136
You need to do 4 things:
No 1: Checksum your application (MD5, with custom md5 context)
- MD5 context needs to be encryptedly initialized
- Compare agains private/public key encrypted checksum
No 2: Checksum your running application's text segment
No 3: Use 4096-Bit RSA Private-Public key encrypting for the license
No 4: Encrypt any crucial strings, like "Wrong key" or "Key ok"
Upvotes: 1
Reputation: 294177
For a license key you are not so much interest in encrypting it, but on signing it. By signing it you can validate that the expiry date and enabled feature list was not tampered with. There is no need to hide (encrypt) the license key, as there is no threat you want to mitigate by hiding the license from the end user.
Cryptographic signatures are done by hashing the license and then encrypting the hash with a private key. Since anyone can decrypt that hash using the corresponding public key, anyone can verify if the license was tampered with.
The basic CryptoAPI function to sign and verify are CryptSignHash and CryptVerifySignature, see Example C Program: Signing a Hash and Verifying the Hash Signature.
The .Net Framework equivalent are the RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter classes.
Upvotes: 4
Reputation: 1170
If you would like to see an example of Triple DES encryption, you can take a look at my blog post on encrypting data in a database.
The blog post contains a video and the source code.
Although it focuses on encrypting string columns in the database, you can definitely modify it to work with licensing fields.
The source code is written in C# and uses Triple DES algorithms.
Upvotes: 0
Reputation: 49619
If you are doing validation on the customer-side, you want to use asymmetric encryption. That way you do not have to distribute the private key to the customer. I would generate a RSA signature using SHA-256 and a 2048 bit key. If you do that, the cryptographic operations will not be the weak link. A cracker could of course change the code to skip the verification step, but no cryptographic algorithm will help that.
If you are doing validation server-side, I would choose a SHA-256 based HMAC.
Upvotes: 8
Related Questions
- Securing encryption keys in C#
- Encryption libraries?
- File encryption library for .NET
- How to hide a licence key from casual inspection
- LicenseProvider in .NET using RSA encryption to protect product license
- Auto-generated encryption keys in .NET
- An effective method for encrypting a license file?
- Creating license keys containing data
- Implementing a program that generates non-transferable licences
- License Key generation for Windows Application