If you're an ISV with customers requiring SAML authentication, then you should talk to us!
How to Generate License Keys for Software Applications that you Distribute
What is the Purpose of License Keys?
License keys are a vital tool for ensuring the correct usage of your software. Keys secure programs so that only permitted users who have been granted access can use the software. Software licenses are beneficial to both developers and users of the product.
For developers, license agreements protect developers’ intellectual property and trade secrets, limit what other parties can do with the covered software code, and limit vendor liability.
Licensing protects users by establishing how they stay in compliance with the software, so they avoid infringement claims and limit their legal liability. License agreements also provide users the opportunity to maintain a positive relationship with software vendors, and can prevent overspending on licenses by establishing clear parameters of how many licenses an organization needs.
What should any licensing mechanism have?
Bike Locks are a good analogy for how a licensing mechanism should operate, since everything is crackable and the lock primarily serves as a deterrent to someone with malicious intent.
Some important characteristics of an efficient licensing mechanism are:
- Should not make the lives of legitimate users difficult
- Should not be trivial to circumvent
- Should fit the software well
- Must be able to revoke a license key in the case of chargebacks or purchases with stolen credit cards
What is Partial Key Verification?
Partial Key Verification is a software license key algorithm that partitions a product key into multiple "subkeys." With each new version of your product, your license key verification algorithm will check a different subset of a license's subkeys. It's called partial key verification because the verification algorithm never tests the full license key, it only tests a subset of subkeys.
How to Implement Partial Key Verification?
The main components of a PKV key are the seed value and its subkeys (together referred to as the serial), and then a checksum. The subkeys are derived from the unique seed value, accomplished using bit twiddling, and the checksum is to ensure that the serial (seed + subkeys) does not contain a typo.
Next, we're going to write a keygen that we, the business, can use to generate legitimate keys for our end-users after they purchase our product. Our PKV keygen should be a tightly kept trade secret, because with it comes the power to craft license keys at-will.
Our application will not fully test a key for verification. Only part of the key is tested. Further, each release of the application should test a different portion of the key, so that a phony key based on an earlier release will not work on a later release of our software.
Advantages of Partial Key Verification:
- Your code never contains enough information for a cracker to reverse-engineer your key system.
- It should not be possible for a legitimate user to accidentally type in an invalid key that will appear to work but fail on a future version due to a typographical error.
Disadvantages of Partial Key Verification:
- You leak the license key generation algorithm over time.
- You eventually have to maintain a blacklist of leaked/illegitimate keys.
- Given enough legitimate keys, your algorithm can be deduced.
- It's hard to embed data into a key (e.g. max app version).
- It's incredibly complex.
- It will still be possible for a cracker to edit your executable to jump over verification code.
For more information about Partial Key Verification see Brandon’s Blog Post.
Better Way to Key Generation: Using a License Server to Generate Keys and Store License Records:
A superior way to generate license keys is to use a license server. With the license server, you are also able to store license records, revoke licenses, and reset/add entitlements. Since the server allows you to revoke licenses, this means that a blacklist of leaked/illegitimate keys no longer needs to be maintained. The license server relies on signing and verifying the signature of the server response to lock/unlock licenses, which can be changed/updated at any time. This adaptability simplifies the process of licensing software, and prevents crackers from being able to edit the executable to jump over verification code.
How does a License Server Work to Generate License Keys?
As opposed to using the license key as a means to store license information, a key generated by a license server acts as an authorization mechanism. This is possible because all of the license information is stored within the server, and the key is just a random string used to access the data on the license from the server to the local machine.
Do Key Generators still work for Cracking Software?
Key generators are unlikely to have any success cracking software using license keys generated by license servers. This is because the key itself is just a string, generated randomly, and stores no information on its own.