We have a License Key generator written in C with the format attached as a PNG file. Currently there is a 32 bit Checksum for the key. We need to use some of the 80 bits available from the key to use as a customer number. I'm looking for a way to generate license keys by a PHP script and then transfer its to my application (Air, AS3), and in this application to read the data correctly. For example, here is the code. I need a serial number generator and accompanying checker. I would like to be able to set a salt (and maybe a length). The generator should only produce serial numbers that pass the test of the checker. Those numbers should only account for a small fraction of all the possible numbers of the given length. The algorithm needn't be cryptographically secure. Rather, it should be very easy to implement (in javascript) and it should be very fast. To clarify: If you buy commercial software, it is sometimes protected with a serial number/a key. If you type it in, the software verifies it algorithmically (by checking whether it fulfills certain properties), rather than looking up a huge database. I'm also pretty sure that the keys were all generated algorithmically rather than by hand. And only a small fraction of all the possible keys of a given length are actually valid so it's hard to guess keys. Salt: I don't know whether salt is the right word, but the algorithm should have at least one parameter, whose choice alters the generated keys (so that multiple people can use the same algorithm and needn't fear collisions). Javascript is primarily a client side language, so everyone will see ur algorithm. (there is ssjs, but who uses it??). Its also SLOW in compare to compiled programs. Whatever you do, the best would be to: *1 generate these keys and save them to a database. *2 write a php/java form to read in user imputed key and see if its in the database. This allows for pretty much anything. One way to generate the keys is then to make a random number and get a sha1 or md5 of it (can do more then once to make it true random) – Mar 7 '11 at 9:52 •. If there is no real need for security, then here is a very fast serial number generator, with a checker: • User a counter. Initialize it at 0. When you want a new serial number, increment your counter by 1000; the new counter value is the serial number. The checker works like this: a serial number is valid if it ends with three zeros. Only one of every 1000 numbers will be accepted by the checker. If this solution does not please you, then you do have a need for security, and this calls for cryptography. The cryptographically secure solution is to have signed serial numbers: the serial number is the encoding of some payload (e.g. A counter of all serial numbers that you have generated) and a signature over the payload. The generator has a private key, which it uses to compute the signatures; the checker only knows the corresponding public key. The trouble with this setup is not really about verification time, even in Javascript; rather, it is the size of the signature which is a problem. I assume that the serial number will be, at some point, typed by a user. The minimal theoretical size for a cryptographically secure signature is about 80 bits (since signatures can be verified with only the public key, an attacker could try all possible bit sequences, and we usually require a security level of at least 2 80). However, the smallest signatures among the 'assumed to be secure schemes' are closer to 160 bits (with, which uses a pairing, which is kind of complex to implement) or 320 bits (with or ). There is some work on signature systems with shorter signatures (, or ) but there is quite some controversy on their security. Even with both uppercase letters and digits (36 possible characters, and there you have both 'I' and '1', and also 'O' and '0'), a 160-bit signature will use 31 characters. Along with the payload, you will end up with serial numbers of length 35 or so, which is probably too much for an average user to type in (but not by a large margin; an 80-bit signature would fit nicely). If you do not use a signature scheme, then you must be aware that a reasonably determined attacker will be able, through some disassembly, to circumvent the checker, or even to learn enough to be able to produce his own serial numbers (which the checker will happily accept). At that point, you will not get quantified security: you will not be able to say: 'my scheme is secure up to a budget of 3.8 billion dollars'.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2018
Categories |