Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Software Key Generation - Best Practices?
2 points by dxjones on June 9, 2009 | hide | past | favorite | 3 comments
What are the current "Best Practices" for the following Software Key Generation scenario?

I am a small independent software vendor. When a vendor sells my software to a customers, I want them to visit my web page (PHP/MySQL) to generate a new "Software License Key" that they provide to the customer.

When the customer first starts the application, they enter their Name and Key, and the application "phones home" to validate the key.

I am very interested in recommendations for precisely how to generate they keys, and any common errors or security risks. Obviously, we want to avoid crackers being able to generate fake keys. We also need to prevent crackers getting into the key-generation web site and gaining access to the database, or tricking it into generating new keys (without being an authorized vendor). It would also be nice if there was a way to check (without phoning home) that a key is "probably" valid (such as, it has the right checksum, and is not on a blacklist hard-coded into the latest version).

Any tips and references in this area would be appreciated.



Create a public/private key pair. Have the client encrypt some relevant information such as the MAC address, IP Address, and software serial number, and phone home occasionally for authorization. This takes care of the problem of moving to a new machine or fail-over, but allows you to identify stolen keys or someone putting copies on multiple servers.


1. Get machine fingerprint based on hardware id of the devices. Use your judgment on which one you want to include. 2. Create a one way hash, with a salt. Store it locally. 3. Call home with this key to activate the product. 4. Every once in a while check the finger print again to see if it has changed if it has redirect to the activation page. This would happen only if the hardware changed.

I am assuming that the people won't direct access to this logic in your PHP application. I don't use PHP so don't know if you can pre compile your app.


Thanks for such a clear answer.

I am more of a Mac programmer. ... In a Microsoft/Windows/Intel world, ... what would be one (or a few) specific examples of hardware id that would be available on most PCs??

I don't need a detailed explanation. Just a few quick links to online info sources would be a great help.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: