Need an encryption method

Posted on 2005-05-14
Last Modified: 2013-12-04
I am in need of a mathematical approach which would create unique "keys" to prevent piracy of my software.  The inputs could be the customer's name, address and start and end dates of the license period.  Acceptable digits would be 0..9, A..Z.  I would like an approach which will allow me to put this unique customer information into my C# conversion program, so that it could produce a password, such as "13243-K32K2-09088".

Sample Inputs:
Customer:  "Frank A. Smith"
Address: "105 Washington St., Vienna, VA"
License period: "5/29/2005 - 5/29/2006"

But I need to be able to convert the password back to the customer information.  Does anyone have any idea how to do this?

Question by:ba272
    LVL 8

    Accepted Solution

    This approach most likely won't work because of the ease with which low level debuggers can find and bypass the JMP and JNE instructions for your protection logic.

    In any case if you wish to try, you need:

    A shared secret, i.e. some type of key.
    An encryption algorithm, any one from MS encryption classes will do (the CAPI implementation - check out the CAPICOM dll).

    Using your shared secret (for example, the user's name and address) you can encrypt a piece of information (the validity dates of the software).  The user then types in his name and address (exactly as supplied) and the encrypted key that you provide (a string of hex digits) and the software is able to decrypt the validity dates.  Any other user information with the key will produce nonsense.   Your software can also "turn off" once the key is no longer valid because the dates will be past due.


    Author Comment

    Thanks for the help.  I'm new to coding encryption algorithms and will loko into the encryption classes you mentioned.

    What you said about the ease with which this can be bypassed worries me, so I am considering a web based authentication to augment the algorithmic approach.  For example, I could program into my application a periodic check-in to a web service I could create.  Would that code also easy to bypass?  How do you see a web service working along with an encryption algorithm?  I also expect to be able to access the systems of paying customers, so theoritically I could deposit a new key on their system periodically.  So I have lots of options.  Which ones do you think would give the best protection?

    Thanks for the advice.
    LVL 8

    Expert Comment

    If you use a web based approach it is also easy to bypass the code.  In fact, any code that checks for a "key" is easy to bypass.

    The only way to protect your software is to NEVER give it to the customer.  

    Rather than keep a key off the customer's site, your should keep a key class in your software.  This must be an essential class and your should only expose its interface via a web service.  That way anyone using your software will need to access your web service.  Now this brings a whole host of new problems related to performance and reliability to the table that can cost a significant amount to overcome.  If you don't do this right the customer will think your software to be of poor quality.

    Bottom line - it costs a lot to protect software from piracy.  Often no protection and a good contract and relationship with your customers is the most economical solution.

    Answer these questions:
    How big is your market?
    How much do you trust your customers?
    How much do you stand to really miss out on due to piracy?

    And this one:
    How much will it cost to really protect your software?

    This is why most software uses a basic "keep the honest people honest" that is easily hacked.

    Author Comment

    How big is your market?  Answer: Huge
    How much do you trust your customers?  Answer: not at all
    How much do you stand to really miss out on due to piracy?  Answer: we stand to lose our core business

    How about this as something to shoot for?

    A security class in my program, with a private interface.  That class will communicate with my web service, but only when business is slow and there's plenty of processor available to me.  The class could pass secret information, like the restaurant's address, to the web service and get some form of an authentication key in return.  But here's where I am lost about what gets passed back from the web service and how it's used.

    But this solution involves mapping, so if I can enforce the use of an address in mapping lookups, and send that address to the web service, wouldn't that help in some way?

    LVL 8

    Expert Comment

    You could pass back

    a) a module (a core dll) that your system needs to run
    b) the finished product of a data processing algorithm

    As for (a): Any thing that eventually runs on the customer CPU can be snapshotted and written to disk.  Basically, if it runs on my CPU and sits in my RAM, I can copy it and run it elsewhere.

    The only way to protect software is to keep it at your site.  The ASP buisiness model does this nicely.  Option (b) is sort of an "ASP lite" - all the software runs on the client's system, except for a key function, like sales tax calculations.

    Either way, you need a good data center with guaranteed 24/7 uptime and a low latency network connection to each client.

    If your customers are restaurants as indicated above, then you can probably go with a basic key scheme like mentioned above.  Their level of IT sophistication is relatively low and piracy will be a minor problem if you implement any kind of protection.

    Author Comment

    Thanks for the help.  You gave me a pretty quick lesson in stopping pirates.


    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now