

Ask HN: Software Key Generation - Best Practices? - dxjones

What are the current "Best Practices" for the following Software Key Generation scenario?<p>I am a small independent software vendor.  When a vendor sells my software to a customers, I want them to visit my web page (PHP/MySQL) to generate a new "Software License Key" that they provide to the customer.<p>When the customer first starts the application, they enter their Name and Key, and the application "phones home" to validate the key.<p>I am very interested in recommendations for precisely how to generate they keys, and any common errors or security risks.  Obviously, we want to avoid crackers being able to generate fake keys.  We also need to prevent crackers getting into the key-generation web site and gaining access to the database, or tricking it into generating new keys (without being an authorized vendor).  It would also be nice if there was a way to check (without phoning home) that a key is "probably" valid (such as, it has the right checksum, and is not on a blacklist hard-coded into the latest version).<p>Any tips and references in this area would be appreciated.
======
russell
Create a public/private key pair. Have the client encrypt some relevant
information such as the MAC address, IP Address, and software serial number,
and phone home occasionally for authorization. This takes care of the problem
of moving to a new machine or fail-over, but allows you to identify stolen
keys or someone putting copies on multiple servers.

------
sarvesh
1\. Get machine fingerprint based on hardware id of the devices. Use your
judgment on which one you want to include. 2\. Create a one way hash, with a
salt. Store it locally. 3\. Call home with this key to activate the product.
4\. Every once in a while check the finger print again to see if it has
changed if it has redirect to the activation page. This would happen only if
the hardware changed.

I am assuming that the people won't direct access to this logic in your PHP
application. I don't use PHP so don't know if you can pre compile your app.

~~~
dxjones
Thanks for such a clear answer.

I am more of a Mac programmer. ... In a Microsoft/Windows/Intel world, ...
what would be one (or a few) specific examples of hardware id that would be
available on most PCs??

I don't need a detailed explanation. Just a few quick links to online info
sources would be a great help.

