How to Generate License Keys for Software Applications that you Distribute

Software licenses that are node-locked to a device usually achieve this binding through the use of a license key. If you're a software vendor looking to generate license keys for use in your own application, you probably wondered whether your key stores any information, and whether your combination of characters represents an attack surface for unscrupulous actors looking for ways to use your software in unlicensed ways. We wrote this guide to help you learn more about different ways you can use a license key to control the state of your software application according to your license agreements.

Definition: What is a License Key?

License keys are a vital tool to ensure the correct usage of your software. Keys secure programs so that only permitted users who have been granted access can use the software.  For this reason, software licenses are beneficial to both developers and users of the product:

• For developers, license agreements protect developers’ intellectual property and trade secrets, limit what other parties can do with the covered software code, and limit vendor liability. 
• Licensing protects users by establishing how they stay in compliance with the software, so they avoid infringement claims and limit their legal liability. License agreements also provide users the opportunity to maintain a positive relationship with software vendors, and can prevent overspending on licenses by establishing clear parameters of how many licenses an organization needs.

What is a License Key Generator?

A "license key generator" can refer to two things: Today, a License Key Generator usually refers to a random char generator used by a software vendor to associate license entitlements with that string, which is then is distributed to a customer / end user. It can also refer to a (now archaic) brute forcing tool that would allow a person to circumvent the software licensing mechanism designed around partial key verification. More on PKV later.

What should any licensing mechanism have?

Bike Locks are a good analogy for how a licensing mechanism should operate, since everything is crackable and the lock primarily serves as a deterrent to someone with malicious intent.

Some important characteristics of an efficient software licensing mechanism are:

• The Licensing scheme should not make the lives of legitimate users difficult 
• It should not be trivial to circumvent
• It should fit the software well
• It should ideally be able to revoke a license key in the case of refunds or other licenses that are no longer usable.

What is Partial Key Verification?

Partial Key Verification is a software license key algorithm that partitions a product key into multiple "subkeys." With each new version of your product, your license key verification algorithm will check a different subset of a license's subkeys. It's called partial key verification because the verification algorithm never tests the full license key, it only tests a subset of subkeys. This was a common mechanism that was used to issue license keys until the mid to late 2000s, since key verification would not always be verified online.

How to Implement Partial Key Verification?

The main components of a PKV key are the seed value and its subkeys (together referred to as the serial), and then a checksum. The subkeys are derived from the unique seed value, accomplished using bit twiddling, and the checksum is to ensure that the serial (seed + subkeys) does not contain a typo.

Next, we're going to write a keygen that we, the business, can use to generate legitimate keys for our end-users after they purchase our product. Our PKV keygen should be a tightly kept trade secret, because with it comes the power to craft license keys at-will.

Our application will not fully test a key for verification. Only part of the key is tested. Further, each release of the application should test a different portion of the key, so that a phony key based on an earlier release will not work on a later release of our software.

Advantages of Partial Key Verification:

• An individual License Key does not contain sufficient information for a cracker to reverse-engineer your entire key system.
• It should not be possible for a legitimate user to accidentally type in an invalid key that will appear to work but fail on a future version due to a typographical error.

Disadvantages of Partial Key Verification:

• You leak the license key generation algorithm over time.
• You eventually have to maintain a blacklist of leaked/illegitimate keys.
• if an Attacker has access to enough legitimate keys, the original algorithm can be deduced.
• It's hard to embed data into a key (e.g. max app version).
• It can be quite complex to implement a decent PKV solution that is also easy to use for your end-users.
• It will not prevent a cracker to edit your executable using Assembly language to bypass you verification code (as some of our current engineers used to do back in the day when they wanted to play Kings Quest V).

For more information about Partial Key Verification see Brandon’s Blog Post.

More modern approach: License Server that Generates Keys and Stores License Records:

With the license server, the key itself does not need to embed information on the entitlements allowed in the key itself. Insteald, it acts more as an authorization mechanism to store license records, revoke licenses, and reset/add entitlements. Since the server allows you to revoke/ disable licenses, this means that a blacklist of leaked/illegitimate keys no longer needs to be maintained. The license server relies on signing and verifying the signature of the server response to lock/unlock licenses, which can be changed/updated at any time. This adaptability simplifies the process of licensing software, and prevents crackers from being able to edit the executable to jump over verification code.

How does a License Server Work to Generate License Keys?

As opposed to using the license key as a means to store license information, a key generated by a license server on the fly, and not in advance. All of the license information is stored on the server, and the key is just a random string used to access the data on the license from the server to the local machine.

Do Key Generators still work for Cracking Software?

Key generators are unlikely to have any success cracking software using license keys generated by license servers. This is because the key itself is just a string, generated randomly, and stores no information on its own. It is generally perceived to be a more robust solution to software licensing, immune to license key generators!