- Auslogics Boost Speed 9 License Key Generator
- Bytefence License Key Generator
- Generate License Keys For Software
Active3 years, 9 months ago
I need a serial number generator and accompanying checker. I would like to be able to set a salt (and maybe a length). The generator should only produce serial numbers that pass the test of the checker. Those numbers should only account for a small fraction of all the possible numbers of the given length.
I was working on a project recently that required unique API keys to be generated for clients connecting to the server. For various reasons, I settled on the style of license key.
The algorithm needn't be cryptographically secure. Rather, it should be very easy to implement (in javascript) and it should be very fast.
This class can generate and validate license key serial numbers. It can generate a string with a serial number for use as license key of a given length for using with a given application. The generated key includes characters of a specified character set and is formatted grouping characters in. Get a License Key This page will assist you in getting a permanent or temporary license key for the programs that we make. Choose the option below that best matches your situation. Apr 02, 2008 Hi all, I want to idea/code for license key generation. In detail, I give a product to client, while installation it will generate one key and asked unlock for that key.
To clarify: If you buy commercial software, it is sometimes protected with a serial number/a key. If you type it in, the software verifies it algorithmically (by checking whether it fulfills certain properties), rather than looking up a huge database. I'm also pretty sure that the keys were all generated algorithmically rather than by hand. And only a small fraction of all the possible keys of a given length are actually valid so it's hard to guess keys.
Salt: I don't know whether salt is the right word, but the algorithm should have at least one parameter, whose choice alters the generated keys (so that multiple people can use the same algorithm and needn't fear collisions).
Gilles41.4k1212 gold badges100100 silver badges155155 bronze badges
DaveDave
3 Answers
If there is no real need for security, then here is a very fast serial number generator, with a checker:
- User a counter. Initialize it at 0. When you want a new serial number, increment your counter by 1000; the new counter value is the serial number. The checker works like this: a serial number is valid if it ends with three zeros. Only one of every 1000 numbers will be accepted by the checker.
If this solution does not please you, then you do have a need for security, and this calls for cryptography.
The cryptographically secure solution is to have signed serial numbers: the serial number is the encoding of some payload (e.g. a counter of all serial numbers that you have generated) and a signature over the payload. The generator has a private key, which it uses to compute the signatures; the checker only knows the corresponding public key. The trouble with this setup is not really about verification time, even in Javascript; rather, it is the size of the signature which is a problem. I assume that the serial number will be, at some point, typed by a user. The minimal theoretical size for a cryptographically secure signature is about 80 bits (since signatures can be verified with only the public key, an attacker could try all possible bit sequences, and we usually require a security level of at least 280). However, the smallest signatures among the 'assumed to be secure schemes' are closer to 160 bits (with BLS, which uses a pairing, which is kind of complex to implement) or 320 bits (with DSA or ECDSA). There is some work on signature systems with shorter signatures (Quartz, or McEliece-Niederreiter) but there is quite some controversy on their security.
Even with both uppercase letters and digits (36 possible characters, and there you have both 'I' and '1', and also 'O' and '0'), a 160-bit signature will use 31 characters. Along with the payload, you will end up with serial numbers of length 35 or so, which is probably too much for an average user to type in (but not by a large margin; an 80-bit signature would fit nicely).
If you do not use a signature scheme, then you must be aware that a reasonably determined attacker will be able, through some disassembly, to circumvent the checker, or even to learn enough to be able to produce his own serial numbers (which the checker will happily accept). At that point, you will not get quantified security: you will not be able to say: 'my scheme is secure up to a budget of 3.8 billion dollars'. Rather, it will go as: 'my scheme is secure until a sufficiently witty and bored student comes along, reverse-engineers the checker code, and publishes the result on Facebook'.
The classical not-really-secure scheme would look like this:
- Use the counter from the previous scheme (the one with ends with three zeros). Encode it as a 64-bit block. Encrypt that block with some hardcoded symmetric key, using a block cipher. The checker knows the key, and verifies the serial number by decrypting it (with the same hardcoded symmetric key) and looking at the final zeros.
This is not really more secure than the plain counter, but at least the serial numbers will be random-looking. With an alphabet of 34 characters (digits and uppercase letters except 'O' and 'I'), a 64-bit block requires 13 letters, which is probably acceptable (a typical Microsoft serial number has 25 letters). For the 64-bit block cipher, I recommend XTEA, which should be fast and simple enough to implement.
Thomas PorninThomas Pornin294k5252 gold badges699699 silver badges899899 bronze badges
If you want the cryptographically secure method you won't get around an internet connection to verify the serial. This means that such a protection scheme is better suited for subscription based software than it is for traditional shelf software.
With internet connections it's simple (since you use JS, I assume that's the one you want):
- Someone creates a key, that party has to know the secret
- Server knows secret and is able to decode the data
- Client sends the key, which is a binary blob encoded in Base32 (also see this)
- Server decrypts the key and checks whether it's valid (either just syntactically or also semantically)
Without internet connection you can still use a scheme similar to PGP signing in order to verify that the blob that the user enters was created by you. Encryption won't work the same, because the decryption always requires to know the secret and the big issue here is:
- you don't trust the user (otherwise you wouldn't need the protection scheme)
- you give the user the secret, compiled into your binary
Obviously both points contradict each other. On one hand you don't trust the user, on the other hand you have to deploy the secret used for decryption.
All in all I have to conclude that without the internet connection and the server-based validity check that results in the revelation of some knowledge (e.g. content that is useful only for so long) any protection scheme I have seen so far is more or less an arms race between crackers and vendors.
Now, if it isn't important to have a cryptographically secure system, I'd still go for any binary data that you can secure by means of a simple CRC or so. What comes to mind would be:
- Have a monotonically increasing serial number
- XOR it with your salt value (or any other reversible operation)
- Take the CRC32 of that value (or Adler32 or whatever) - add more salt here if needed
- Encode it with Base32 (aids readability etc)
- Only check that the CRC32 for validity ...
1,28822 gold badges1111 silver badges1717 bronze badges
OP wrote 'it should be very easy to implement (in javascript) and it should be very fast'
Its not clear whether 'in javascript' refers to the generator or the checker or both, or whether it refers to 'javascript in the browser', or some other java/ecmascript implementation (e.g. server-side in the web server).
Javascript as an implementation language isn't necessarily a problem, and there are a couple of crypto libraries for javascript (supporting MD5, DES, AES, SHA, PBKDF2, HMAC):
Speed shouldn't be too much of a problem either (browser javascript engines are getting quite usable in that respect, once you get past IE6/7).
However, neither of the above support public key crypto (which is required for security if the 'checker' is distributed to the untrusted user and thus cannot be allowed access to the key used to create serial numbers) - let alone the specific algorithms suggested by Thomas, above. Google does turn up some hits for public-key implementations in JavaScript (http://www-cs-students.stanford.edu/~tjw/jsbn/, http://ohdave.com/rsa/, http://www.hanewin.net/encrypt/rsa/rsa.htm) but personally I'd be even more nervous about their bug-free-ness than the 'bigger' libraries above.
Perhaps more significantly, even with a public key-based approach, if either the generator or the checker are distributed to the untrusted user, then the scheme is not secure. If the generator code is available to the untrusted user then they can generate as many keys as they like, while if the checker is available to the untrusted user then they can simply modify the javascript code to skip the checks. [The same issue arises with native code, of course, but, even with obfuscation, JavaScript is arguably simpler to attack through local modifications.]
Before implementing a security scheme in JavaScript you should also consider the wider trust issues: see http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ for a useful summary.
MishaMisha
Not the answer you're looking for? Browse other questions tagged cryptographydigital-signaturerandomlicense-enforcement or ask your own question.
Active1 year, 7 months ago
I want to have a random serial created on my website everytime someone visits.
The format of the serial should be XXXXX-XXXXX-XXXXX-XXXXX.
X represents a random number or capital letter.
Unfortunately I have no idea how to do this. Could anybody please help me out?
Unfortunately I have no idea how to do this. Could anybody please help me out?
So for example the random serial output could be: 3WT4A-NB34O-JU87P-B3UHS
Thanks a lot!
kubaThanks a lot!
6,48411 gold badge2626 silver badges4040 bronze badges
Kid DiamondKid Diamond60466 gold badges2222 silver badges6060 bronze badges
7 Answers
There are most certainly better ways of doing it, but this is the first that jumps to mind:
05/26/13 Edit: It's advised to keep the Count function outside of the loop. The reason for this is that you don't want to expend the extra clock cycles running this function through each iteration when you can simply run it once.
maiorano84maiorano849,48033 gold badges2525 silver badges4242 bronze badges
Another approach is to calculate the four segments as random numbers in base 36.
salathesalathe45k1010 gold badges9292 silver badges121121 bronze badges
The most straightforward solution would be something like this.
Sample output:
blafratblafrat
There's a bunch of ways to approach this. One simple one is:
Auslogics Boost Speed 9 License Key Generator
There are better ways to generate random strings then this but this would give you the basic functionality you're looking for.
Bytefence License Key Generator
John CondeJohn Conde191k8484 gold badges383383 silver badges436436 bronze badges
Moyed AnsariMoyed Ansari7,75822 gold badges2929 silver badges5252 bronze badges
If you want to use this serial just because of uniqueness - you could also try to use UUID v4, as described in one of answers here: PHP function to generate v4 UUID
Community♦
LaimoncijusLaimoncijus5,20288 gold badges5050 silver badges7878 bronze badges
There a lot of such answers at SO: https://stackoverflow.com/a/4356295/1091195
You can use the random string generator mentioned there, either you use it once to get a 20 letter string then insert dashes, or you can call it 4 times for 5 letter and concat the results.
Generate License Keys For Software
Community♦
kubakuba6,48411 gold badge2626 silver badges4040 bronze badges