[Last Call] Learn how to a build a cloud-first strategyRegister Now


Need an encryption method

Posted on 2005-05-14
Medium Priority
Last Modified: 2013-12-04
I am in need of a mathematical approach which would create unique "keys" to prevent piracy of my software.  The inputs could be the customer's name, address and start and end dates of the license period.  Acceptable digits would be 0..9, A..Z.  I would like an approach which will allow me to put this unique customer information into my C# conversion program, so that it could produce a password, such as "13243-K32K2-09088".

Sample Inputs:
Customer:  "Frank A. Smith"
Address: "105 Washington St., Vienna, VA"
License period: "5/29/2005 - 5/29/2006"

But I need to be able to convert the password back to the customer information.  Does anyone have any idea how to do this?

Question by:ba272
  • 3
  • 3

Accepted Solution

ChipM0nk JG earned 2000 total points
ID: 14007993
This approach most likely won't work because of the ease with which low level debuggers can find and bypass the JMP and JNE instructions for your protection logic.

In any case if you wish to try, you need:

A shared secret, i.e. some type of key.
An encryption algorithm, any one from MS encryption classes will do (the CAPI implementation - check out the CAPICOM dll).

Using your shared secret (for example, the user's name and address) you can encrypt a piece of information (the validity dates of the software).  The user then types in his name and address (exactly as supplied) and the encrypted key that you provide (a string of hex digits) and the software is able to decrypt the validity dates.  Any other user information with the key will produce nonsense.   Your software can also "turn off" once the key is no longer valid because the dates will be past due.


Author Comment

ID: 14010900
Thanks for the help.  I'm new to coding encryption algorithms and will loko into the encryption classes you mentioned.

What you said about the ease with which this can be bypassed worries me, so I am considering a web based authentication to augment the algorithmic approach.  For example, I could program into my application a periodic check-in to a web service I could create.  Would that code also easy to bypass?  How do you see a web service working along with an encryption algorithm?  I also expect to be able to access the systems of paying customers, so theoritically I could deposit a new key on their system periodically.  So I have lots of options.  Which ones do you think would give the best protection?

Thanks for the advice.

Expert Comment

by:ChipM0nk JG
ID: 14011037
If you use a web based approach it is also easy to bypass the code.  In fact, any code that checks for a "key" is easy to bypass.

The only way to protect your software is to NEVER give it to the customer.  

Rather than keep a key off the customer's site, your should keep a key class in your software.  This must be an essential class and your should only expose its interface via a web service.  That way anyone using your software will need to access your web service.  Now this brings a whole host of new problems related to performance and reliability to the table that can cost a significant amount to overcome.  If you don't do this right the customer will think your software to be of poor quality.

Bottom line - it costs a lot to protect software from piracy.  Often no protection and a good contract and relationship with your customers is the most economical solution.

Answer these questions:
How big is your market?
How much do you trust your customers?
How much do you stand to really miss out on due to piracy?

And this one:
How much will it cost to really protect your software?

This is why most software uses a basic "keep the honest people honest" that is easily hacked.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 14013730
How big is your market?  Answer: Huge
How much do you trust your customers?  Answer: not at all
How much do you stand to really miss out on due to piracy?  Answer: we stand to lose our core business

How about this as something to shoot for?

A security class in my program, with a private interface.  That class will communicate with my web service, but only when business is slow and there's plenty of processor available to me.  The class could pass secret information, like the restaurant's address, to the web service and get some form of an authentication key in return.  But here's where I am lost about what gets passed back from the web service and how it's used.

But this solution involves mapping, so if I can enforce the use of an address in mapping lookups, and send that address to the web service, wouldn't that help in some way?


Expert Comment

by:ChipM0nk JG
ID: 14014656
You could pass back

a) a module (a core dll) that your system needs to run
b) the finished product of a data processing algorithm

As for (a): Any thing that eventually runs on the customer CPU can be snapshotted and written to disk.  Basically, if it runs on my CPU and sits in my RAM, I can copy it and run it elsewhere.

The only way to protect software is to keep it at your site.  The ASP buisiness model does this nicely.  Option (b) is sort of an "ASP lite" - all the software runs on the client's system, except for a key function, like sales tax calculations.

Either way, you need a good data center with guaranteed 24/7 uptime and a low latency network connection to each client.

If your customers are restaurants as indicated above, then you can probably go with a basic key scheme like mentioned above.  Their level of IT sophistication is relatively low and piracy will be a minor problem if you implement any kind of protection.

Author Comment

ID: 14015315
Thanks for the help.  You gave me a pretty quick lesson in stopping pirates.


Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month18 days, 13 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question