Processor ID for security purposes 1

[Andviv]

Hi.

How can I find the processor ID in a computer?
The situation is like this, we have a software with a very restrictive licensing mode and it is suppouse to run only in "that" specific machine. My boss want to find the processor id and "lock" the system to only work with that processor, forcing the client to come back to us if they want to install it again in other machine.

What alternatives do I have?

Thanks in advance

 

[zemp]

There was a thread last week that talked about using an API call to get the serial number of the hard drive. You can always use that if you can't get the processos number. Yes they can move their hard drive to another machine but they can only run one cpoy of your software and that is what you really want.

What I have done in the past is use a simple encryption algorithm to create create a random serial number when the software get installed and use the same algorithm to create the corresponding registration key. The serial number is then burried in the registry. This way they also cannot reinastall another version, trial or full. For our target users this works just fine. You can even tell them that the serial number is based on the processor ID number, they will never know. With this method each installation an a computer creates a different serial number and requires a new registration key which we generate. Thanks and Good Luck!

zemp

 

[kel1981b]

I think it's not that easy. Do you no how many illegal copies of Microsoft products are installed? Do you know why? Not because Microsoft is so kind. They will pay a lot, if somebody will be able to fix icensing issue that quick and easy.

 

[zemp]

There will always be people trying to fix programs. Especially ones as popular as microsoft's. If you have a relatively small specific program people won't waste their time trying to crack it.

Besides if your algorithm is good and unique it may not be so easy. Thanks and Good Luck!

zemp

 

[Andviv]

Zemp, Thanks a lot for your suggestion, I think I will follow your lead. Is there any link you can suggest to review code and get more detailed ideas?

Thanks again,

Andviv

 

[kel1981b]

This question for zemp. It's my understanding that you method prevents user to reinstall your application/different version on the SAME machine. How about, if client will want to install the same application on few DIFFERENT machines? I think this method will not work at all. At the mean time, Andviv's question was about DIFFERENT machines. That's why he was asking about getting particular CPU number. Anyway, if he will get this number and software is distributed on CD, there is just one way to prevent users against illegal instantiation on different machine. It'll be possible, if this information will store in CD during installation. Theoretically it's possible but practically, I am afraid not.

 

[Andviv]

kel1981b, Do you know then of any "effective" method to secure the software? That is what we want, we want to know if the client is installing it on other computer where it does not suppouse to be, or forbid them of doing it if that were possible.

Thanks,

Andviv

 

[kel1981b]

I wish I knew ... Actually, there is one way but I think your client will not be very happy about that way. You can use the same way what other companies use. Use unique CD Key during the instalattion but do not provide this key to clients. In that case somebody from your company has to install your software on clients machine. I am pretty sure your client won't accept that way but you can try.

 

[zemp]

kel1981b - there is no way to prevent the user from installing the software on a different machine. However the program will generate a <b>different</b> serial number. Therefore they will require a <b>different</b> registration key in order for the software to work properly. Since we generate each registartion key based on each serial number we know how many instances a client is running.

The way we have it set up is that users download a 30 day trial version of the program from our website, so there is no CD. The registartion key is required for full operation.

I know that our method is not fool proof. Someone could decrypt the serial number and create the registration key or they could find where we bury the serial number and installation date in the registry and delete that in Order to allow the reinstallation of the trial version. But our target users are not other programmers or crackers that would know what to do or look for. In this case the ignorance of the end user is bliss. Thanks and Good Luck!

zemp

 

[zemp]

Andviv - I do not know of any place on the net that you can find the encryption method that I used. I recieved it from another programmer and it is already in the public domain somewhere. I don't even know if it has a specific name. I do know that I can customize it to some degree.

Below are a few links that I have collected for encryption information. I don't know how many are still valid links.

A few of these offer a pre-compile DLL for download. Some of them provide source code. All of them contain information you can assimilate to help you clarify the direction of your rather interesting project.

http://www.crypteon.co.uk/des-source-code-toolkit

http://www.crypto-central.com/

http://www.counterpane.com/blowfish-download.html

http://www.di-mgt.com.au/crypto.html

http://www.phpbuilder.com/mail/php-developer-list/199903/0328.php

http://sourceforge.net/projects/blowfishvhdl

http://web.mit.edu/thouis/www/ecrypto.html

http://www.totse.com/en/privacy/encryption/techdes.html

http://bsn.ch/Lasse/bfacs.htm

http://www.geocrawler.com/archives/3/5/1999/3/0/1440664/

http://www.eskimo.com/~weidai/cryptlib.html

http://www.turbopower.com/products/LockBox/

http://codetools.com/cpp/blowfish.asp

http://www.cityinthesky.co.uk/cryptography.html

http://www.brisse.dk/linux/phpext/blowfish.htm

http://www.di-mgt.com.au/cryptoBlowfishASP.html

http://web.bsn.ch/lasse/bfacs.htm

http://www.openwall.com/crypt/

http://www.wiley.com/cda/product/0,,0471353817,00.html

http://www.counterpane.com/twofish.html

http://www.ddj.com/articles/1998/9812/9812b/9812b.htm

http://www.terravista.pt/ilhadomel/2014/tf.html

http://csrc.nist.gov/encryption/aes/round2/r2algs-code.html

http://www.twofish.org/

http://libtomcrypt.sunsite.dk/

http://hollerith.cs.transy.edu/campbell/cryptology/twofish/etc.html

http://saturn.hut.fi/~helger/crypto/link/block/twofish.html

http://www.angelfire.com/mo/isswgaryr/programs.html

http://www.diskencryption.org/

http://shop.barnesandnoble.com/booksearch/isbnInquiry.asp?sourceid=7354618&isbn=0471353817

http://www.macfergus.com/niels/pubs/twofishAES.html

http://csrc.nist.gov/encryption/aes/rijndael/

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

http://csrc.ncsl.nist.gov/encryption/aes/rijndael

http://www.streamsec.com/prod_strsec2.asp

http://www.cryptix.org/news/02102000.html

http://www.aegiscode.com/

http://freshmeat.net/releases/42313

http://www.eskimo.com/~weidai/cryptlib.html

http://www.esat.kuleuven.ac.be/~mleeman/hj82/2001/encryption.html

http://www.cryptosys.net/sha1.html

http://www.sewelld.com/SecureHashAlgorithm.asp

Thanks and Good Luck!

zemp

 

[kel1981b]

zemp. But you did not mention in your first reply that yours clients have to download software from Internet not install it from CD! That's why you confuse me and I belive Andviv. Well, may be just me and Andviv was not confused ...

 

[zemp]

Sorry for the confusion. I don't think it matters how the software is distributed as long as the encryption does what you want it to. Thanks and Good Luck!

zemp

 

[SemperFiDownUnda]

all this is well and good but honestly if someone wants to crack your security it isn't that hard. I personally wouldn't bother with trying to create a key generator but just find that op code where you do check for valid key pair and either noop it, jmp, etc depending on the code produced.

The real point being is implementing a level of security that covers the risk that you are facing. If you are dealing with a company then the risks are quiet small in most cases. There you only have to protect your program from the honest ones that might think &quot;oh i'll just install this on this other computer too&quot; and provide enough deterant for that case. Spending 10 grand on implimenting a security system makes zero sense if it would only saves you 2 grand from priracy.

If you right a security system and think its unbreakable then 99.9999% chance you are dreamming. Wether someone would bother to crack it or not is a different story.

 

[sayedmostafa]

use harware security like (Dongole)
i used hdd serial and usually clients said they format hdd

 

[pmrankine]

As a user, I wouldn't be too chuffed if I had to return to the supplier if I wanted re-install the s/w.... just a thought.

 

[mattKnight]

The other option is to look for the MAC address, which is hard coded into the NIC and combine it with say the HDD serial. This can provided a feed back to your key generator

Just a thought

Matt

 

[chiph]

Like sayedmostafa said -- use a hardware dongle. That way they can install/reinstall to their hearts content, but without the hardware key it won't run.

The USB ones are pretty cool, IMO.

Chip H.

 

[chadt]

I don't know if anyone uses any Cadence software but they hardcode the NIC mac address into the registration file which would allow you to only install on a specified machine.

need samples let me know.

 

[Andviv]

chadt, may we see an example?

Thanks,

 

[mattKnight]

Andviv
thread711-428783 contains a worked example of how to get a MAC address!

Take care

Matt