We help IT Professionals succeed at work.

Unique Crypting Method

IncognitoMan
IncognitoMan asked
on
744 Views
Last Modified: 2012-06-21
Hello guys,
I need a crypting method, that will convert a string into a crypted one. I searched the google and fount things like md5, but even a kid can breake it. I need a method in which I can insert some kind of a decrypting password, so that to write a function with a parameter of this password.

I know that there are this king of methods, but the idea is that the crypted string need to be short. For example if I crypt ten chars long string the crypted should be a maximum of 15-20 chars. I need this function in order to generate serial number that are made by a unique hardware ID and the period of time for which the program can be used. The serial number needs to be short in order to be dictated by the phone.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2009

Commented:
>> I searched the google and fount things like md5

MD5 is a hashing algorithm. It does not encrypt.


>> but even a kid can breake it.

Heh. That's not true. The MD5 algorithm is not reversible, and breaking it is quite hard. It's not the best cryptographic hash out there, but claiming a kid can break it is exaggerated ;)


>> I need this function in order to generate serial number that are made by a unique hardware ID and the period of time for which the program can be used.

Ok, then you don't need encryption. A cryptographic hash sounds suitable indeed. However, just having the hardware id and the validity period in there is probably not enough. You might also want to put in a secret key in there that no-one (except you) knows. Otherwise, anyone can generate a new serial if they figure out the algorithm that was used to generate it.

The other issue with license keys, is where they are checked. If the software itself is gonna check the key, then the software can be reverse engineered to extract the algorithm, so that's not safe at all.

The only way to be somewhat safe, is to check the key on a license server owned by you. The problems with that are that you force your customers to be online when they use your software, and that keys can still be stolen.


In other words, there is no guaranteed way to secure your software with a license key. A simple cryptographic hash of some information unique to the user and/or the hardware and/or the software should be enough to deter most though.

Some good, common cryptographic hashes include MD5 and SHA-1. But many more are out there :)
You could try ccrypt.

Author

Commented:
Infinity08, I completely agree with you, except for one thing. MD5 is reversable if you only know that it's been used to hash the data. This thing with the secret password is interesting, but if they have the algorythm and one serial key, they can see the secret password.
One thing, that came in my mind is to ... somewhat mod the MD5 algorythm, so that it generates a string that is not exactly 255 - ASCII of the char. This will be unique and not just like MD5. So it's going to be at least a little secure this way.
What do you think?

Author

Commented:
Oooh the MD5 is not working that way. I am talking bullshit here. Sorry.
CERTIFIED EXPERT
Top Expert 2009

Commented:
>> MD5 is reversable if you only know that it's been used to hash the data.

No, it's not. It's somewhat vulnerable to collisions, but you cannot easily reverse it.


>> Oooh the MD5 is not working that way.

Ah, I see you came to that conclusion too ;)
Don't mess with custom hashing or encryption. The algorithms that are in use today have been designed by maths brains, analysed and tested to destruction, and at least their weaknesses are known. (And unless your enemies have quantum computers, I wouldn't worry about the weaknesses just yet.)

Custom hashing and encryption functions are tinker toys which are doomed to fall apart and make cracking far, far easier. And what you suggest with changing MD5 is known as "security through obscurity" and that's doomed to fall over after a bit of probing, just like the fake wall in Dawn Of The Dead. (The original, not the noughties action movie remake.)

Author

Commented:
OK HackneyCab, then what is not doomed. Give me an idea :).
CERTIFIED EXPERT
Top Expert 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Checking the key on my server is good, but on clients with one working place that don't need internet, it's not going to work. I will use the hash funcion and some other things for security. A thank you for the help Infinity08. :)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.