• Advertisement
Sign in to follow this  

Registration, Keys, and Verification [?]

This topic is 2096 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I am working hard on a commercial application and am at the point I need to add registration keys and verificion methods. I have a few things in mind, however I would like feedback on the following topics and my solutions if possible.

  • The best way to make the program hard to patch
  • The best way to verify the key in program
  • The best way to verify the key via internet
  • The best way to deactivate products using blacklisted keys
  • The best way to provide registration and updates.

My proposed solutions are as follows

  • So far what i was thinking was to check part of the key when registering, and then trigger a timer for about a minute and it check the remaining part of the key.
  • Checking parts of the key at different times.
  • After checking the key and it passes the key rearranged to the server and the server rearranges it back and compares it to a list.
  • Require the program to have internet access when starting up and it submit its key as well as MAC address to the website and the website return an encryped pass/fail message.
  • For Evaluation: Textboxes on a form with the terms and when submitted it adds entered data to the websites database and returns a temporary key (30 days). If they submitted garbage just blacklist their mac or force them to fill out the registration for again.
    For Purchased copies: Company name and registration key entry. Details in number 2.

Current Registration Window: [attachment=9063:reg.PNG]

I was thinking they could use the program alone to get a evaulation key, and have to use the website to purchase a key. Ideas on this?
Also has anyone else seen a program have registrion embedded in it like this?

All comments welcome.
Thanks in advance,
CoderWalker

Share this post


Link to post
Share on other sites
Advertisement

1. So far what i was thinking was to check part of the key when registering, and then trigger a timer for about a minute and it check the remaining part of the key.
2. Checking parts of the key at different times.
3. After checking the key and it passes the key rearranged to the server and the server rearranges it back and compares it to a list.
4. Require the program to have internet access when starting up and it submit its key as well as MAC address to the website and the website return an encryped pass/fail message.
5. For Evaluation: Textboxes on a form with the terms and when submitted it adds entered data to the websites database and returns a temporary key (30 days). If they submitted garbage just blacklist their mac or force them to fill out the registration for again.
For Purchased copies: Company name and registration key entry. Details in number 2.

1. Why? I don't see any practical purpose to doing that.
2. Same question.
3. Why rearranged? What difference does it make?
4. A MAC address is not unique, it can be changed with very little effort.
5. Same at above.

Have you considered the possibility that a pirate will simply remove the registration code from the binary, thereby completely bypassing your whole scheme?

Please do a risk analysis (with an appropriate threat model) before implementing security-related features. Who are you protecting your application against? There are three types of people:
- Everyday joe which will know next to nothing about computers and will be defeated by the simplest obstacle (99%+ of the computer population)
- Hobbyist hacker, which knows how to break your stuff and remove your registration code, etc...
- Professional pirate, which has significant resources to expend in cracking your application and will stop at nothing to access your software without purchasing a key

What kinds of applications need to protect themselves against all three types of people? Bank interfaces, government websites, etc... how about just the two first? Online games (they try, at least), some commercial applications. But the vast majority of software only attempts to block out the first type of people because that's where most of their userbase lies. In short, it doesn't make sense economically to invest funds into better security when almost all of your users are incapable of even looking for a cracked version of your program.

This also means that there is no "middle ground" when it comes to security. Either you do it right, either don't bother to do it (with respect to your chosen threat model, of course).

Assuming you choose the "standard" threat model which is, minimal security (just enough to prevent your everyday joe pirating your program), then you just need something really basic such as:
- have the user sign up on your website (using first/last name, email, etc...) as usual and purchase a key there. At this point you generate a sufficiently large random number, and compute the keyed hash of their first/last name etc... using the random number as a key, and save that next to their account. Then, when the user starts up the program, he enters this key along with his first and last name (and whatever other data you choose to include), and the website can validate easily. This cannot be broken by simply trying random combinations or getting lucky or whatever, it requires the user to either purchase a key or bypass authentication. Under the assumption that the everyday joe is unable to bypass the authentication form (which probably requires editing the binary in some way), your application is secure under your threat model.

Many other variations are possible, but under your threat model they are all equivalent (secure enough).

Also, forget about the blacklisting thing. It doesn't work (and will often end up hurting the end user by accidentally blacklisting legitimate users, or yourself by storing unnecessary blacklisting data on your server). There are also some very nasty outcomes that can occur - a malicious pirate could find a way to trick your server into blacklisting *everyone* because of a flaw or something, and you will be in trouble. Better not give him the tools to do so.

PS: there is no such thing as "best way" to implement security. There's always someone out there smarter than you which will break your security, no matter how well-implemented (in the general case, that is - there are some provably secure techniques but they are usually very specific to a given application with very particular needs and features).

Share this post


Link to post
Share on other sites
In my experience, the best thing to do is just let the bad guys use the app.


Give them an unobtrusive nag screen that they can skip.

Yes, some people will download fake or stolen keys to make it go away, or they will simply click button every time they use it just to make it go away. As long as it goes away with a single click they're unlikely to break your executable to remove it. You'll still have your (uncracked) app used and shared and continue to get the word-of-mouth advertising, and the more honest individuals will eventually tire of a nag screen and send in money.



The alternative is an expensive and never-ending war of licence management, DRM, and strong deterrents. Even strong deterrents like FlexLM, SecuROM, and the rest can cost a million dollars or more to add to your app, and are easily broken by pirates. If you are talking about piracy of millions of copies then it becomes cost effective to use those countermeasures. But for a small personal project, there really is no point.

Share this post


Link to post
Share on other sites
Awesome feedback. I do tend to get carried away sometimes.
I do want to require registration for more than 30 days.

This program is a server penetration testing tool.
So I am dealing with the "skilled" part of the market.
So I really don't know how hard I should be on this.

Here is a very similar program: http://www.mavitunasecurity.com/netsparker/

Is registration within the program a bad idea?

Share this post


Link to post
Share on other sites
Personally i don't think it is worth it to make things "hard to crack" , if one person can crack it you've lost that race anyway, if you're going this route you should look into a service model instead. (If your application is tied to a service under your control a pirate has to replicate your service instead of removing your DRM, this will give you a far bigger piracy free window (This is the route PC games are going these days))

Businesses tend to be fairly honest when it comes to software so your best bet is to make the DRM help them keep track of their licenses to avoid honest mistakes (it also helps to offer site licenses to make the license management easier for your customers).

Individuals pirating your software can probably be a good thing, if they can't pirate your software they'll probably pirate your competitors software instead (and if the IT staff at company X runs pirate copies of your competitors software at home your chances of making a sale to company X becomes alot smaller than if the staff runs pirate copies of your software). (If you're also selling to individuals or if you have a cheaper version for individuals piracy becomes a real problem though)

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement