Need an encryption method

I am in need of a mathematical approach which would create unique "keys" to prevent piracy of my software.  The inputs could be the customer's name, address and start and end dates of the license period.  Acceptable digits would be 0..9, A..Z.  I would like an approach which will allow me to put this unique customer information into my C# conversion program, so that it could produce a password, such as "13243-K32K2-09088".

Sample Inputs:
Customer:  "Frank A. Smith"
Address: "105 Washington St., Vienna, VA"
License period: "5/29/2005 - 5/29/2006"

But I need to be able to convert the password back to the customer information.  Does anyone have any idea how to do this?

Who is Participating?
ChipM0nk JGConnect With a Mentor LeaderCommented:
This approach most likely won't work because of the ease with which low level debuggers can find and bypass the JMP and JNE instructions for your protection logic.

In any case if you wish to try, you need:

A shared secret, i.e. some type of key.
An encryption algorithm, any one from MS encryption classes will do (the CAPI implementation - check out the CAPICOM dll).

Using your shared secret (for example, the user's name and address) you can encrypt a piece of information (the validity dates of the software).  The user then types in his name and address (exactly as supplied) and the encrypted key that you provide (a string of hex digits) and the software is able to decrypt the validity dates.  Any other user information with the key will produce nonsense.   Your software can also "turn off" once the key is no longer valid because the dates will be past due.

ba272Author Commented:
Thanks for the help.  I'm new to coding encryption algorithms and will loko into the encryption classes you mentioned.

What you said about the ease with which this can be bypassed worries me, so I am considering a web based authentication to augment the algorithmic approach.  For example, I could program into my application a periodic check-in to a web service I could create.  Would that code also easy to bypass?  How do you see a web service working along with an encryption algorithm?  I also expect to be able to access the systems of paying customers, so theoritically I could deposit a new key on their system periodically.  So I have lots of options.  Which ones do you think would give the best protection?

Thanks for the advice.
ChipM0nk JGLeaderCommented:
If you use a web based approach it is also easy to bypass the code.  In fact, any code that checks for a "key" is easy to bypass.

The only way to protect your software is to NEVER give it to the customer.  

Rather than keep a key off the customer's site, your should keep a key class in your software.  This must be an essential class and your should only expose its interface via a web service.  That way anyone using your software will need to access your web service.  Now this brings a whole host of new problems related to performance and reliability to the table that can cost a significant amount to overcome.  If you don't do this right the customer will think your software to be of poor quality.

Bottom line - it costs a lot to protect software from piracy.  Often no protection and a good contract and relationship with your customers is the most economical solution.

Answer these questions:
How big is your market?
How much do you trust your customers?
How much do you stand to really miss out on due to piracy?

And this one:
How much will it cost to really protect your software?

This is why most software uses a basic "keep the honest people honest" that is easily hacked.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

ba272Author Commented:
How big is your market?  Answer: Huge
How much do you trust your customers?  Answer: not at all
How much do you stand to really miss out on due to piracy?  Answer: we stand to lose our core business

How about this as something to shoot for?

A security class in my program, with a private interface.  That class will communicate with my web service, but only when business is slow and there's plenty of processor available to me.  The class could pass secret information, like the restaurant's address, to the web service and get some form of an authentication key in return.  But here's where I am lost about what gets passed back from the web service and how it's used.

But this solution involves mapping, so if I can enforce the use of an address in mapping lookups, and send that address to the web service, wouldn't that help in some way?

ChipM0nk JGLeaderCommented:
You could pass back

a) a module (a core dll) that your system needs to run
b) the finished product of a data processing algorithm

As for (a): Any thing that eventually runs on the customer CPU can be snapshotted and written to disk.  Basically, if it runs on my CPU and sits in my RAM, I can copy it and run it elsewhere.

The only way to protect software is to keep it at your site.  The ASP buisiness model does this nicely.  Option (b) is sort of an "ASP lite" - all the software runs on the client's system, except for a key function, like sales tax calculations.

Either way, you need a good data center with guaranteed 24/7 uptime and a low latency network connection to each client.

If your customers are restaurants as indicated above, then you can probably go with a basic key scheme like mentioned above.  Their level of IT sophistication is relatively low and piracy will be a minor problem if you implement any kind of protection.
ba272Author Commented:
Thanks for the help.  You gave me a pretty quick lesson in stopping pirates.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.