MD5 hash

[barryna]

Just wondering if the MD5 hash could be used in some way to produce a software key. I want to produce a software enablement key for my program, and since the MD5 is an ok one-way hash function, no one could try to take the software key and translate out what produced it, therefore making it difficult to produce a key for a given computer. The thing I want to know is:

1. If I am heading in the right direction.
2. How do I use MD5 in vb.
3. What would prevent a software hacker from guessing your input (which would be the way to do it), and reproduce the hash, cause then you are screwed.
4. Any other thoughts on this whole subject

Nick

 

[barryna]

ok, I now figured out how to create my MD5 hash in vb. But I still don't know if I am heading in the right direction. Is using the hd serial number along with an install date and maybe other info stored in my database and registry at time of installation put together and used in creating my hash be a good software key or not? I am heading in the right direction, or is there something better I could do?

Nick

 

[chiph]

It's certainly secure!

But... how do you expect it to be used? The scenarios I can foresee are:

1. Normal install - user types it in and runs your app.

2. User loses serial number, and calls you asking for help.

3. Serial number gets out and is shared on a cracker site.

4. User shares his disk with a friend (or two or three!)

I think a lot of these can be solved by having a three-part key - something that you ship with the product (sticker on the box?), something unique to each copy of the software (makes things tough for your duplicator), plus something that you email or give them over the phone.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first

 

[vb5prgrmr]

Other problems that I can foresee...

Since you are using information from the users computer you will have to...

1. Have the user give you this information (I (the potential customer) don't want your software that bad...).

2. Automate this task in such a way as to create an encrypted file and have the user give you this information (Once again the user may not want to have something from their computer sent to you.).

3. Require that registration/unlocking of software be online (Some users do not have internet access and if you are looking for commercial clients some have closed systems.).

4. How do you put the unlock key on the box if you are using something unique to each computer installed to create the hash?

Ok, that is just off the top of my head and I bet that some others could come up with other concerns.

Now if you were to use only the files supplied with your program then there would only need to be one key per compile (On the assumption that you change something in each compile.). This would make for a fairly easy hack for the novice user unless each copy that you sold was a fresh compile with say the auto increment on. That should give you 10,000 different keys via the changing build, but would allow for users to sneaker net it between machines so you are pretty much back to square one with the attempt to prevent users from making copies and sharing your program.

This topic (software keys) has been discussed several times here in the past. There are no easy solutions to software piracy.

And with all that said, I wish you all the luck in figuring out a way to protect your software...

Good Luck

 

[computerjin]

u can use system board serial number instead of hd serial number. its more difficult to share a system board offcourse

- ur app detects the serail number of ur consumer's system board.
- after fetching system board's serial number, it forced ur consumer to connect to internet (with ur pre built site that takes the serial number in encrypted form n gives a unique key to ur consumer that he/she needs to run the app.
or
- after fetching the system board serial number, ur consumer contacts u on telefone n u gives him/her the key.

- when ever ur app started, a routine always will check the system board's serial number n match it with the app key.

in this case if he comes to know the key n tells it to others, they cannot use it on their systems.

but remember, one can make that checking routine disable using an assembler n a good knowledge of assembly

waiting for ur comments... is it all applicable n feasible???
thanx

 

[barryna]

Here are the guidlines that I think I am going to go with:

-The user downloadeds the software from my web site.
-The user installs the software.
-The user has a 30 day trail of the software (built and is working great).
-When the software is run for the first time, it gathers info from the user's computer and generates an encrypted string that needs to be sent back to me at some point if they want a full enablement key.
-After the 30 day trial is up, (or anytime I guess), the user has the option to request an enablement key via the internet or can do it manually by calling me.
-If the user chooses the manual route, they give me that string and I generate an enablement key using an encryption scheme that I am buidling right now, and then hashing it w/ MD5 so I will always have a 32 character key (and be more secure) and give it to them to enter. Oh, and they have to pay for the software too!
-If they chose to request one over the internet, the key and other user info is posted to an asp page where the user can finish filling out stuff and can buy the software (like monster cart or something), then the full enablement key is automatically sent back to the software, if the transaction for payment goes through.
-The user is all happy and software runs great unless they get a new computer or reformat the hard drive.

I think this will all work, if anyone has any additional comments, feel free to post them.

Nick