License keys are the defacto-standard as an anti-piracy measure. To be honest, this strikes me as (in)Security Through Obscurity, although I really have no idea how license keys are generated. What is a good (secure) example of license key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so, what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
9 Answers
For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one.
INCORRECT WAY TO DO IT:
Starcraft and Half-life both used the same checksum, where the 13th digit verified the first 12. Thus, you could enter anything for the first 12 digits, and guess the 13th (there's only 10 possibilities), leading to the infamous 1234-56789-1234
The algorithm for verifying is public, and looks something like this:
CORRECT WAY TO DO IT
Windows XP takes quite a bit of information, encrypts it, and puts the letter/number encoding on a sticker. This allowed MS to both verify your key and obtain the product-type (Home, Professional, etc.) at the same time. Additionally, it requires online activation.
The full algorithm is rather complex, but outlined nicely in this (completely legal!) paper, published in Germany.
Of course, no matter what you do, unless you are offering an online service (like World of Warcraft), any type of copy protection is just a stall: unfortunately, if it's any game worth value, someone will break (or at least circumvent) the CD-key algorithm, and all other copyright protections.
REAL CORRECT WAY TO DO IT:
For online-services, life is a bit simpler, since even with the binary file you need to authenticate with their servers to make any use of it (eg. have a WoW account). The CD-key algorithm for World of Warcraft - used, for instance, when buying playtime cards - probably looks something like this:
- Generate a very large cryptographically-secure random number.
- Store it in our database and print it on the card.
Then, when someone enters a playtime-card number, check if it's in the database, and if it is, associate that number with the current user so it can never be used again.
For online services, there is no reason not to use the above scheme; using anything else can lead to problems.
When I originally wrote this answer it was under an assumption that the question was regarding 'offline' validation of licence keys. Most of the other answers address online verification, which is significantly easier to handle (most of the logic can be done server side).
With offline verification the most difficult thing is ensuring that you can generate a huge number of unique licence keys, and still maintain a strong algorithm that isnt easily compromised (such as a simple check digit)
I'm not very well versed in mathematics, but it struck me that one way to do this is to use a mathematical function that plots a graph
The plotted line can have (if you use a fine enough frequency) thousands of unique points, so you can generate keys by picking random points on that graph and encoding the values in some way
Intro to business online textbook. As an example, we'll plot this graph, pick four points and encode into a string as '0,-500;100,-300;200,-100;100,600'
We'll encrypt the string with a known and fixed key (horribly weak, but it serves a purpose), then convert the resulting bytes through Base32 to generate the final key
The application can then reverse this process (base32 to real number, decrypt, decode the points) and then check each of those points is on our secret graph.
Its a fairly small amount of code which would allow for a huge number of unique and valid keys to be generated
It is however very much security by obscurity. Anyone taking the time to disassemble the code would be able to find the graphing function and encryption keys, then mock up a key generator, but its probably quite useful for slowing down casual piracy.
Check tis article on Partial Key Verification which covers the following requirements:
License keys must be easy enough to type in.
We must be able to blacklist (revoke) a license key in the case of chargebacks or purchases with stolen credit cards.
No “phoning home” to test keys. Although this practice is becoming more and more prevalent, I still do not appreciate it as a user, so will not ask my users to put up with it.
It should not be possible for a cracker to disassemble our released application and produce a working “keygen” from it. This means that our application will not fully test a key for verification. Only some of the key is to be tested. Further, each release of the application should test a different portion of the key, so that a phony key based on an earlier release will not work on a later release of our software.
Important: it should not be possible for a legitimate user to accidentally type in an invalid key that will appear to work but fail on a future version due to a typographical error.
I've not got any experience with what people actually do to generate CD keys, but (assuming you're not wanting to go down the road of online activation) here are a few ways one could make a key:
Require that the number be divisible by (say) 17. Trivial to guess, if you have access to many keys, but the majority of potential strings will be invalid. Similar would be requiring that the checksum of the key match a known value.
Require that the first half of the key, when concatenated with a known value, hashes down to the second half of the key. Better, but the program still contains all the information needed to generate keys as well as to validate them.
Generate keys by encrypting (with a private key) a known value + nonce. This can be verified by decrypting using the corresponding public key and verifying the known value. The program now has enough information to verify the key without being able to generate keys.
These are still all open to attack: the program is still there and can be patched to bypass the check. Cleverer might be to encrypt part of the program using the known value from my third method, rather than storing the value in the program. That way you'd have to find a copy of the key before you could decrypt the program, but it's still vulnerable to being copied once decrypted and to having one person take their legit copy and use it to enable everyone else to access the software.
CD-Keys aren't much of a security for any non-networked stuff, so technically they don't need to be securely generated. If you're on .net, you can almost go with Guid.NewGuid().
Their main use nowadays is for the Multiplayer component, where a server can verify the CD Key. For that, it's unimportant how securely it was generated as it boils down to 'Lookup whatever is passed in and check if someone else is already using it'.
That being said, you may want to use an algorhithm to achieve two goals:
- Have a checksum of some sort. That allows your Installer to display 'Key doesn't seem valid' message, solely to detect typos (Adding such a check in the installer actually means that writing a Key Generator is trivial as the hacker has all the code he needs. Not having the check and solely relying on server-side validation disables that check, at the risk of annoying your legal customers who don't understand why the server doesn't accept their CD Key as they aren't aware of the typo)
- Work with a limited subset of characters. Trying to type in a CD Key and guessing 'Is this an 8 or a B? a 1 or an I? a Q or an O or a 0?' - by using a subset of non-ambigous chars/digits you eliminate that confusion.
That being said, you still want a large distribution and some randomness to avoid a pirate simply guessing a valid key (that's valid in your database but still in a box on a store shelf) and screwing over a legitimate customer who happens to buy that box.
If you aren't particularly concerned with the length of the key, a pretty tried and true method is the use of public and private key encryption.
Essentially have some kind of nonce and a fixed signature.
For example:0001-123456789
Where 0001 is your nonce and 123456789 is your fixed signature.
Then encrypt this using your private key to get your CD key which is something like:ABCDEF9876543210
Then distribute the public key with your application. The public key can be used to decrypt the CD key 'ABCDEF9876543210', which you then verify the fixed signature portion of.
This then prevents someone from guessing what the CD key is for the nonce 0002 because they don't have the private key.
The only major down side is that your CD keys will be quite long when using private / public keys 1024-bit in size. You also need to choose a nonce long enough so you aren't encrypting a trivial amount of information.
The up side is that this method will work without 'activation' and you can use things like an email address or licensee name as the nonce.
The key system must have several properties:
- very few keys must be valid
- valid keys must not be derivable even given everything the user has.
- a valid key on one system is not a valid key on another.
- others
One solution that should give you these would be to use a public key signing scheme. Start with a 'system hash' (say grab the macs on any NICs, sorted, and the CPU-ID info, plus some other stuff, concatenate it all together and take an MD5 of the result (you really don't want to be handling personally identifiable information if you don't have to)) append the CD's serial number and refuse to boot unless some registry key (or some datafile) has a valid signature for the blob. The user activates the program by shipping the blob to you and you ship back the signature.
Potential issues include that you are offering to sign practically anything so you need to assume someone will run a chosen plain text and/or chosen ciphertext attacks. That can be mitigated by checking the serial number provided and refusing to handle request from invalid ones as well as refusing to handle more than a given number of queries from a given s/n in an interval (say 2 per year)
I should point out a few things: First, a skilled and determined attacker will be able to bypass any and all security in the parts that they have unrestricted access to (i.e. everything on the CD), the best you can do on that account is make it harder to get illegitimate access than it is to get legitimate access. Second, I'm no expert so there could be serious flaws in this proposed scheme.
There are also DRM behaviors that incorporate multiple steps to the process. One of the most well known examples is one of Adobe's methods for verifying an installation of their Creative Suite. The traditional CD Key method discussed here is used, then Adobe's support line is called. The CD key is given to the Adobe representative and they give back an activation number to be used by the user.
However, despite being broken up into steps, this falls prey to the same methods of cracking used for the normal process. The process used to create an activation key that is checked against the original CD key was quickly discovered, and generators that incorporate both of the keys were made.
However, this method still exists as a way for users with no internet connection to verify the product. Going forward, it's easy to see how these methods would be eliminated as internet access becomes ubiquitous.
All of the CD only copy protection algorithms inconvience honest users while providing no protection against piracy whatsoever.
The 'pirate' only need to have access to one legitimate cd and its access code, he can then make n copies and distribute them.
It does not matter how cryptographically secure you make the code, you need to supply this with the CD in plain text or an legitimate user cannot activite the software.
Most secure schemes involve either the user providing the software supplier with some details of the machine which will run the software (cpu serial numbers, mac addresses, Ip address etc.), or, require online access to register the software on the suppliers website and in return receive an activitation token. The first option requires a lot of manual administration and is only worth it for very high value software, the, second option can be spoofed and is absolutly infuriating if you have limited network access or you are stuck behind a firewall.
On the whole its much easier to establish a trust relationship with your customers!
protected by Community♦Aug 15 '14 at 19:13
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Not the answer you're looking for? Browse other questions tagged securitycryptographylicense-key or ask your own question.
You may need a serial number and product key to activate someAutodesk software.
Note: If you are on subscription, you may no longer need toenter a serial number or product key; you just need to signin. Serial numbers are never required for launching productswith network licenses.
Serial Number Locations
Serial numbers are unique codes associated with your AutodeskAccount and a particular product that you have purchased or isotherwise available to you. For 2014 versions and later, you canfind them in Autodesk Account, on the Management tab. Depending onyour license type, you may not need a serial number to launch yourproduct.
![Number Number](https://img07.rl0.ru/ffaff0f9e7917b39776e3d216b15dbfd/c847x480/s2.dmcdn.net/DBK80.jpg)
Autodesk Account
The Management tab of your Autodesk Account page stores theserial numbers and product keys for each licensed product.
Note about serial number visibility in AutodeskAccount: Only account administrators, such as ContractManagers and Software Coordinators, and Named Users with assignedsoftware benefits will see serial numbers in Autodesk Account.You are the account administrator if you purchased a softwaresubscription using your Autodesk Account or were assigned the roleof Contract Manager or Software Coordinator by your company. If youdo not see the software you wish to activate in your Autodeskaccount or see the message 'Contact your admin for serial numbers,'you need to contact the account administrator. Only anadministrator can assign you as a Named User or End User and giveyou permissions to download and activate the software.
Education Community
When students, educators, and educational institutions downloadproducts from the Education Community,the product serial numbers are found in the followinglocations:
- Displayed at the time of download
- Sent by email
- On the Management tab in Autodesk Account
See:FindSerial Numbers & Product Keys for Educational Licenses
Physical Media
Serial Numbers do not appear on software packaging forAutodesk software versions 2014 and newer. Serial numbers for theseversions are emailed to you after you place an order or can befound in AutodeskAccount.
If you have physical media (a DVD or USB key) for a 2013or earlier product, your serial number and productkey will be printed on the label of the productpackaging.
Example of label from 2011 version. Format is similar for 2010- 2013 product releases.
Product Key Locations
Product keys are codes that identify each productversion.
You can find product keys for recent versions of your productin Autodesk Account, on the Management tab.
To look up a product key for a particular product version (2010and later), you can also go to: Look UpProduct Keys.
Older product keys
If you can't find the product key for older versions ofAutodesk software (2013 and later), you may be able to findit in a text file in the installation folder.
To determine if your product key is available inyour installation folder:
- Using your installation media, (USB key, DVD, download folder,etc.) navigate to the folder that contains the setup.exefile for your Autodesk product.
- In that folder, look for a file named MID.txt,MID01.txt, MID02.txt or some variation on thatname.
- Open this file in Notepad and verify that the product name iscorrect.
- The first five characters of the part number should also be theproduct key for that product.
Example:
MID:Autodesk_Design_Suite_Ultimate_2012_64bit_SWL_ENU_C009_EXE1
Product Name: Autodesk Design Suite Ultimate 2012
Platform: Windows XP/Vista/Win7
Media: ESD
Part Number: 769D1-05Y001-P503E,769D1-05Y001-P504E
See Also:
A key generator, often shortened to 'keygen,' is a program that creates unique, working product keys for software programs and operating systems.
Most software programs require a product key or some other kind of installation code before you can use the program, so having a tool that actually creates them would no doubt save you lots of money, especially if you've already paid for the program but lost the installation code.
Keygens go by many names, including 'product key generators,' 'CD key creators,' 'license key generators,' etc. No matter the name, all key generators create free, unique product keys for various software programs, video games, etc.
Unfortunately, like with most free things, there's a catch.
Is a Key Generator (Keygen) a Good Way to Get a CD Key?
The short answer: absolutely not. A keygen is not a good way to get create that installation key you need for your software or operating system.
A key generator may create a product key that your software will accept, but it will not find your product key.
Product keys created by key generators are not legal installation keys. The only legal way to obtain a product key is by purchasing the software yourself or by contacting the software maker directly to obtain a key.
No matter which key generator you might use, or where you download it from, using a product key other than the unique one that comes with an individual, legally purchased copy of a software title is illegal. Using a product key not issued by the software developer is certainly a violation of the agreement you make when you use the software.
Requiring a valid, unique product key is a software company's way of ensuring that each copy of their program is used only once and that each customer is paying for each copy used.
How Does a Key Generator Work?
The key generators you find online work similarly to the back-end tools that software makers use to generate legitimate product keys via a proprietary algorithm.
What a keygen creator has done to make a program that duplicates this proprietary software is either a) steal this software from the company, or b) reverse engineer the algorithm using a collection of valid product keys that he or she has obtained, probably illegally.
Sometimes, depending on the complexity of the program, the keygen comes packaged with one or more DLL or EXE files with the intention that they're written over the legitimate, original files so that the keygen will work properly.
Regardless of how, the end result is the same — key generators are not a legal, or ethical (in my opinion), a way of obtaining a key code to use for installing a piece of software.
What's a Quick Way to Find a Lost Product Key?
If you have a legal copy of a program that you've already entered a valid CD key into, but you've just lost the key, try a free product key finder program to locate the product key from your currently installed copy of the program.
This is a perfectly legal method of obtaining a product key because it's the same one you purchased when you first installed the program.
Download latest Metro Exodus product cd key generator and generate your own free activation cd key. Redeem your generated product code and play this game online today!! Our team share to you the fresh and updated keygen. We decide to create this key generator to enable fellow gamers to grab a free CD key and play this video game for free of cost.
How is that possible?
There are a lot of CD key online stores now, and every single month, new stores are starting. Almost every time a store opens up, you can expect some giveaways from them to get more customers and fans. Thanks to our site and our team, you can get totally free cd key easily without having to look for hours where the contest is and what the terms are..
Read moreI'm currently involved in developing a product (developed in C#) that'll be available for downloading and installing for free but in a very limited version. To get access to all the features the user has to pay a license fee and receive a key. That key will then be entered into the application to 'unlock' the full version.
As using a license key like that is kind of usual I'm wondering :
- How's that usually solved?
- How can I generate the key and how can it be validated by the application?
- How can I also avoid having a key getting published on the Internet and used by others that haven't payed the license (a key that basically isn't 'theirs').
I guess I should also tie the key to the version of application somehow so it'll be possible to charge for new keys in feature versions.
Anything else I should think about in this scenario?
15 Answers
Caveat: you can't prevent users from pirating, but only make it easier for honest users to do the right thing.
Assuming you don't want to do a special build for each user, then:
- Generate yourself a secret key for the product
- Take the user's name
- Concatentate the users name and the secret key and hash with (for example) SHA1
- Unpack the SHA1 hash as an alphanumeric string. This is the individual user's 'Product Key'
- Within the program, do the same hash, and compare with the product key. If equal, OK.
But, I repeat: this won't prevent piracy
I have recently read that this approach is not cryptographically very sound. But this solution is already weak (as the software itself has to include the secret key somewhere), so I don't think this discovery invalidates the solution as far as it goes.
![Online Online](https://www.52z.com/upload/201301/28/1359339103.jpg)
Just thought I really ought to mention this, though; if you're planning to derive something else from this, beware.
There are many ways to generate license keys, but very few of those ways are truly secure. And it's a pity, because for companies, license keys have almost the same value as real cash.
Ideally, you would want your license keys to have the following properties:
Only your company should be able to generate license keys for your products, even if someone completely reverse engineers your products (which WILL happen, I speak from experience). Obfuscating the algorithm or hiding an encryption key within your software is really out of the question if you are serious about controlling licensing. If your product is successful, someone will make a key generator in a matter of days from release.
A license key should be useable on only one computer (or at least you should be able to control this very tightly)
Pro Evolution Soccer 2018 (abbreviated as PES 2018) is a sports video game developed by PES Productions and published by Konami for Microsoft Windows, PlayStation 3. Pro Evolution Soccer 2018 Download gives you full access to the game released by Konami in this year. On September, 14 th, we’ve received one of the best instalments of PES in the history. It introduced us to series of changes in terms of both gameplay mechanics as well as visual changes. Download pes 2018 setup for pc. Pro Evolution Soccer 2018 Full PC Game Download Just like in the real competition, FIFA World Cup matches and Pro Evolution Soccer 2018 are the decisive match for the virtual cup of the football matches every year. Download Pro Evolution Soccer 2018 for FREE on PC – Released on September 13, 2017, Pro Evolution Soccer/PES 2018 is the newest and greatest launch of the PES series. Learn how to download and install Pro Evolution Soccer 2018 for free in this article and be sure to share this site with your friends. For the first time in years Pro Evolution Soccer 2018 is not a disappointment on PC, rather it becomes the best available version bar none. Downloading and Installing. Download and install uTorrent and Daemon Tools as we are going to use them.
A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the technical support because they don't understand if the key contains a 'l' or a '1'. Your support department would thank you for this, and you will have lower costs in this area.
So how do you solve these challenges ?
The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys should be in fact signed 'documents', containing some useful data, signed with your company's private key. The signatures should be part of the license key. The product should validate the license keys with the corresponding public key. This way, even if someone has full access to your product's logic, they cannot generate license keys because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA, PRIVATE_KEY_ENCRYPTED(HASH(DATA))))The biggest challenge here is that the classical public key algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have hundreds of characters.One of the most powerful approaches is to use elliptic curve cryptography (with careful implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm (patent expired in 2008 - good :) )
This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license key, you need to generate some 'activation data' which is a signed message embedding the computer's hardware id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and the computer hardware id to an activation server, and the activation server sends back the signed message (which can also be made short and easy to dictate over the phone). From that moment on, the product does not check the license key at startup, but the activation data, which needs the computer to be the same in order to validate (otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation data with the public key already embedded in the product.
Well, just eliminate redundant characters like '1', 'l', '0', 'o' from your keys. Split the license key string into groups of characters.
Simple answer - No matter what scheme you use it can be cracked.
Don't punish honest customers with a system meant to prevent hackers, as hackers will crack it regardless.
A simple hashed code tied to their email or similar is probably good enough. Hardware based IDs always become an issue when people need to reinstall or update hardware.
Good thread on the issue:http://discuss.joelonsoftware.com/default.asp?biz.5.82298.34
When generating the key, don't forget to concatenate the version and build number to the string you calculate the hash on. That way there won't be a single key that unlocks all everything you ever released.
After you find some keys or patches floating in astalavista.box.sk you'll know that you succeeded in making something popular enough that somebody bothered to crack. Rejoice!
Besides what has already been stated..
Any use of .NET applications are inherently breakable because of the intermediate language issues. A simple disassembly of the .NET code will open your product to anyone. They can easily bypass your licensing code at that point.
You can't even use hardware values to create a key anymore. Virtual machines now allow someone to create an image of a 'licensed' machine and run it on any platform they choose.
If it's expensive software there are other solutions. If it's not, just make it difficult enough for the casual hacker. And accept the fact that there will be unlicensed copies out there eventually.
If your product is complicated, the inherent support issues will be create some protection for you.
The C# / .NET engine we use for licence key generation is now maintained as open source:
https://github.com/appsoftware/.NET-Licence-Key-Generator.
It's based on a 'Partial Key Verification' system which means only a subset of the key that you use to generate the key has to be compiled into your distributable. You create the keys your self, so the licence implementation is unique to your software.
As stated above, if your code can be decompiled, it's relatively easy to circumvent most licencing systems.
I've used Crypkey in the past. It's one of many available.
You can only protect software up to a point with any licensing scheme.
I don't know how elaborate you want to get
but i believe that .net can access the hard drive serial number.
you could have the program send you that and something eles ( like user name and mac address of the nic)
you compute a code based off that and email them back the key.
they will keep them from switching machines after they have the key.
The only way to do everything you asked for is to require an internet access and verification with a server. The application needs to sign in to the server with the key, and then you need to store the session details, like the IP address. This will prevent the key from being used on several different machines. This is usually not very popular with the users of the application, and unless this is a very expensive and complicated application it's not worth it.
Serial Number Key Generator Online
You could just have a license key for the application, and then check client side if the key is good, but it is easy to distribute this key to other users, and with a decompiler new keys can be generated.
I've implemented internet-based one-time activation on my company's software (C# .net) that requires a license key that refers to a license stored in the server's database. The software hits the server with the key and is given license information that is then encrypted locally using an RSA key generated from some variables (a combination of CPUID and other stuff that won't change often) on the client computer and then stores it in the registry.
It requires some server-side coding, but it has worked really well for us and I was able to use the same system when we expanded to browser-based software. It also gives your sales people great info about who, where and when the software is being used. Any licensing system that is only handled locally is fully vulnerable to exploitation, especially with reflection in .NET. But, like everyone else has said, no system is wholly secure.
In my opinion, if you aren't using web-based licensing, there's no real point to protecting the software at all. With the headache that DRM can cause, it's not fair to the users who have actually paid for it to suffer.
I'm one of the developers behind the Cryptolens software licensing platform and have been working on licensing systems since the age of 14. In this answer, I have included some tips based on experience acquired over the years.
The best way of solving this is by setting up a license key server that each instance of the application will call in order to verify a license key.
Benefits of a license key server
The advantages with a license key server is that:
- you can always update or block a license key with immediate effect.
- each license key can be locked to certain number of machines (this helps to prevent users from publishing the license key online for others to use).
Considerations
Although verifying licenses online gives you more control over each instance of the application, internet connection is not always present (especially if you target larger enterprises), so we need another way of performing the license key verification.
The solution is to always sign the license key response from the server using a public-key cryptosystem such as RSA or ECC (possibly better if you plan to run on embedded systems). Your application should only have the public key to verify the license key response.
So in case there's no internet connection, you can use the previous license key response instead. Make sure to store both the date and the machine identifier in the response and check that it's not too old (eg. you allow users to be offline at most 30 days, etc) and that the license key response belongs to the correct device.
Note you should always check the certificate of license key response, even if you are connected to the internet), in order to ensure that it has not been changed since it left the server (this still has to be done even if your API to the license key server uses https)
Protecting secret algorithms
Most .NET applications can be reverse engineered quite easily (there is both a diassembler provided by Microsoft to get the IL code and some commercial products can even retrieve the source code in eg. C#). Of course, you can always obfuscate the code, but it's never 100% secure.
I most cases, the purpose of any software licensing solution is to help honest people being honest (i.e. that honest users who are willing to pay don't forget to pay after a trial expires, etc).
However, you may still have some code that you by no means want to leak out to the public (eg. an algorithm to predict stock prices, etc). In this case, the only way to go is to create an API endpoint that your application will call each time the method should be executed. It requires internet connection but it ensures that your secret code is never executed by the client machine.
Implementation
If you don't want to implement everything yourself, I would recommend to take a look at this tutorial (part of Cryptolens)
I strongly believe, that only public key cryptography based licensing system is the right approach here, because you don't have to include essential information required for license generation into your sourcecode.
In the past, I've used Treek's Licensing Library many times, because it fullfills this requirements and offers really good price. It uses the same license protection for end users and itself and noone cracked that until now. You can also find good tips on the website to avoid piracy and cracking.
Like a few others mentioned, I'm a huge opponent of being hostile to customers by default—something that the licensing industry is notorious for. So I'll expand on a good solution for your problem that also offers a good customer UX.
To start off, you mentioned that you have a 'limited' version of your software that you're using to try and convert customers to 'upgrade' for additional features. So what you're looking for are feature licenses for your product e.g. a customer can purchase a license for feature-X or feature-Y.
I built Keygen with this type of licensing in mind. Keygen is a licensing REST API that allows you to manage user accounts, licenses and also track machine usage/associations.
What I would do is set up 2 license types (a policy within Keygen) where one is a base policy for the limited free version, and the other is a policy for the paid version.
I'm not sure what you're using for payments, but let's assume you're using something like Stripe (pretty standard nowadays) that offers webhooks. Keygen also has webhooks (whether you use it or not, all this is still applicable). You can integrate Keygen to talk with your payment provider using webhooks from both sides (think: customer.created
->create base license for customer, license.created
->charge customer for the new license).
![Free Free](https://dl1.cbsistatic.com/i/2017/12/10/95c6d717-9358-4305-9d3f-68e2aa57bcee/3c3195e44dfbd09aca03a0dbaebfc8a5/2667be7af2660a0e791379a9787317f7c7001game-product-key-finder.jpg)
So by utilizing webhooks, we can automate license creation for new customers. So what about license validation within the application itself? This can be done in a variety of ways, but the most popular way is by requiring your customer to enter a long license key into an input field which you can then validate; I think this is a terrible way to handle license validation in your application.
Why do I think that? Well first off, you're requiring your customer to input a tediously long license key that is meant for machine consumption, and second your requiring you and your customer to keep track of said tediously long license key.
Okay, so what's an alternative? I think the best alternative is doing something all of your customers are used to: allowing them to create an account for your product using an email/password. You can then associate all of their licenses and their machines with that account. So now instead of inputting a license key, they can simply log in using their credentials.
What advantage does that give you? Firstly, it gets rid of the need for you and your customers to keep track of license keys, since it's all handled behind-the-scenes inside of their user account and most importantly: you can now offer your customers self-serve license and machine activation! i.e. since all of their licenses and machines are associated with their user account, you can prompt them to purchase a license when they fire up your application on an unrecognized machine.
Now onto license validation: whenever your customer logs into your application with their email/password, you can query their user account for the licenses they own to determine if they can use feature-X or feature-Y. And since your application is now self-serve, you can allow your customers to purchase additional features directly from within your application!
So we've introduced a ton of automation to our licensing system, we can license individual features (i.e. a limited vs. full version), we've offered an awesome UX for our customers and we've also alleviated one of the biggest reasons for support requests: license key recovery.
Anyways, this got long but hopefully it helps somebody!
It is not possible to prevent software piracy completely. You can prevent casual piracy and that's what all licensing solutions out their do.
Node (machine) locked licensing is best if you want to prevent reuse of license keys. I have been using Cryptlex for about a year now for my software. It has a free plan also, so if you don't expect too many customers you can use it for free.
You can use a free third party solution to handle this for you such as Quantum-Key.Net It's free and handles payments via paypal through a web sales page it creates for you, key issuing via email and locks key use to a specific computer to prevent piracy.
Your should also take care to obfuscate/encrypt your code or it can easily be reverse engineered using software such as De4dot and .NetReflector. A good free code obfuscator is ConfuserEx wich is fast and simple to use and more effective than expensive alternatives.
You should run your finished software through De4Dot and .NetReflector to reverse-engineer it and see what a cracker would see if they did the same thing and to make sure you have not left any important code exposed or undisguised.
Your software will still be crackable but for the casual cracker it may well be enough to put them off and these simple steps will also prevent your code being extracted and re-used.
protected by Community♦May 5 '13 at 13:48
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?