Geek Answers Handbook

The serial number (registration key) algorithm in .NET.

There were several timely reports about IP security, etc., but I can not find what exactly the algorithm addresses. In one of my current projects, we decided to follow the path of an autonomous key registration system.

I assume that most of our possible user base will be honest, so I don’t think that we worried too much about too . On the other hand, I would rather not get access to random hacks without a lot of sweat and tears.

So, what are some options for creating (and checking) a key? The hardware keyboard is most likely missing because the installation model must run from the samba share on the intranet server. Also, how long should the key be?

Secondly, how great is the danger that the verification algorithm will simply be reflected, even if it is confused? Would it be better to write an algorithm in unmanaged code instead?

+6
security algorithm software-distribution licensing
source share
5 answers

In my opinion, the key problem that you will encounter is not your registration algorithm and the level (or absence) of obfuscation.

Rather, it is: at some point in your code, it comes down to a simple binary decision - to start or exit. To hack into your system, you only need to search and configure this decision point.

Everything else - obfuscation, strong signing, detection of unauthorized access - is aimed at making it more complicated, but it cannot make it much more complicated.

+10
source share

Usually you choose some data that you want to include in the key, for example, who owns it and when it expires, maybe even some small pieces of code that your application should work properly (which makes it difficult to create, it works without a key). Then use a digital signature scheme, such as RSA, to digitally sign the key using your company’s private key. Distribute the public key with the executable application. Then, when you download the key, just make sure the signature is valid, and then use the data contained in the key. To do this, use a bit length of 1024 or 2048 bits.

Of course, no matter how complicated your code is, someone can always break it or get around it. So the question you ask yourself is how difficult are you doing (bearing in mind that more complex schemes are harder to code and maintain for you)? There is a point of diminishing returns, usually quite low. Until the program runs without a key, and the key is complex enough that you cannot fake one (or change the expiration date, etc.) using a hex editor, then you are probably fine.

+2
source share

As for key refactoring, writing it in an unmanaged case may not help if they kill the call site from managed to unmanaged. One of the options you encounter when confusing is if your Dotfuscator professional needs to enable their "Unauthorized Access Detection", in fact, they mark your assembly, and if someone changes your code, you can do different things. Of course, a hacker can remove this, but there’s a lot more sweat and tears.

+1
source share

I found only one way to block code very well. Almost every type of serial test can be easily hacked by your average second-year programmer.

The way I did this is to use the license object in .NET. In my own licensed facility, he reads the “license” file to find out where the “house” is. This license is an encrypted string. The private key to the string is in the License object.

The License object then calls the home secret password, also encrypted. The server decrypts the password and verifies it ... also logs the IP and username in case of fraud investigation. If the server can verify the password, it responds with a secret response, encrypted again so that it cannot be tampered with. If it cannot be verified, the connection will be deleted. The response is not sent, so the license object on the other end does not work.

When an integrated license object fails, it automatically throws an exception, causing the application to fail and exit at the location where the license is being called.

It took me about two business days to write the server and the License object, so this is a bit of training, but not rocket science.

If you need some sample source or more information, let me know. I will be glad to receive you that I can.

+1
source share

You can see the answers to this question.

0
source share

More articles:


All Articles