How To Generate and Validate A Software License Key?: 15 Answers
How To Generate and Validate A Software License Key?: 15 Answers
How To Generate and Validate A Software License Key?: 15 Answers
Ask Question
I'm currently involved in developing a product (developed in C#) that'll be available for downloading and installing for
free but in a very limited version. To get access to all the features the user has to pay a license fee and receive a key.
209 That key will then be entered into the application to "unlock" the full version.
135
2. How can I generate the key and how can it be validated by the application?
3. How can I also avoid having a key getting published on the Internet and used by others that haven't payed the
license (a key that basically isn't "theirs").
I guess I should also tie the key to the version of application somehow so it'll be possible to charge for new keys in
feature versions.
c# license-key
share improve this question edited May 7 '13 at 16:23 asked Mar 1 '09 at 13:41
Robert Harvey ♦ Riri
149k 33 275 419 5,666 12 52 78
add a comment
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Caveat: you can't prevent users from pirating, but only make it easier for honest users to do the right thing.
Assuming you don't want to do a special build for each user, then:
116
Generate yourself a secret key for the product
Take the user's name
Concatentate the users name and the secret key and hash with (for example) SHA1
Unpack the SHA1 hash as an alphanumeric string. This is the individual user's "Product Key"
Within the program, do the same hash, and compare with the product key. If equal, OK.
I have recently read that this approach is not cryptographically very sound. But this solution is already weak (as the
software itself has to include the secret key somewhere), so I don't think this discovery invalidates the solution as
far as it goes.
Just thought I really ought to mention this, though; if you're planning to derive something else from this, beware.
share improve this answer edited Dec 10 '10 at 15:08 answered Mar 1 '09 at 13:53
Steven A. Lowe Brent.Longborough
53.5k 16 120 196 6,716 7 32 57
13 if the program includes the secret key (as implied by the steps above), cracking it is trivial – Steven A. Lowe Dec 8 '10 at 14:49
18 @Steven: Yes, as I hope I implied very clearly, twice. – Brent.Longborough Dec 10 '10 at 0:56
2 edited to be more obvious; cannot over-emphasize something that fundamental ;-) – Steven A. Lowe Dec 10 '10 at 15:09
18 Use an asymmetric cryptographic method (such as RSA) for generating and decoding the product key to avoid embedding the
secret in the code. – Amir Moghimi Jun 19 '12 at 6:43
6 I would think that by the time someone is hacking your code (possibly at the assembly level) to find your secret key, they are
probably also at the level that they can just bypass your checks entirely. I don't think there's a method of registration so secure
that it can survive a good hacker running the program locally. As the original comment said, it's really all about anything that
makes it one step harder than simply copying the file. A lot of games these days have given up on copy protection and simply
take the game content online in which case the code is out of the hacker's hands JamieB Dec 4 '12 at 22:56
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
take the game content online, in which case the code is out of the hacker s hands. – JamieB Dec 4 12 at 22:56
There are many ways to generate license keys, but very few of those ways are truly secure. And it's a pity, because for
companies, license keys have almost the same value as real cash.
75 Ideally, you would want your license keys to have the following properties:
1. Only your company should be able to generate license keys for your products, even if someone completely reverse
engineers your products (which WILL happen, I speak from experience). Obfuscating the algorithm or hiding an
encryption key within your software is really out of the question if you are serious about controlling licensing. If your
product is successful, someone will make a key generator in a matter of days from release.
2. A license key should be useable on only one computer (or at least you should be able to control this very tightly)
3. A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the
technical support because they don't understand if the key contains a "l" or a "1". Your support department would
thank you for this, and you will have lower costs in this area.
1. The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys
should be in fact signed "documents", containing some useful data, signed with your company's private key. The
signatures should be part of the license key. The product should validate the license keys with the corresponding
public key. This way, even if someone has full access to your product's logic, they cannot generate license keys
because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA,
PRIVATE_KEY_ENCRYPTED(HASH(DATA)))) The biggest challenge here is that the classical public key
algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have
hundreds of characters. One of the most powerful approaches is to use elliptic curve cryptography (with careful
implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same
strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm
(patent expired in 2008 - good :) )
2. This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license
key, you need to generate some "activation data" which is a signed message embedding the computer's hardware
id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and
the computer hardware id to an activation server, and the activation server sends back the signed message (which
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
can also be made short and easy to dictate over the phone). From that moment on, the product does not check the
license key at startup, but the activation data, which needs the computer to be the same in order to validate
(otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data
checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation
data with the public key already embedded in the product.
3. Well, just eliminate redundant characters like "1", "l", "0", "o" from your keys. Split the license key string into groups
of characters.
share improve this answer edited Dec 25 '12 at 14:21 answered Nov 16 '11 at 10:23
Andrew Barber Catalin S.
33.9k 14 79 109 767 5 4
7 Couldn't they just edit the software adding/removing code such that the check is skipped totally? – Pacerier Nov 13 '14 at 18:55
Does the answer to number 1 necessitate an online activation/deactivation service essentially? – Dan W Oct 31 '15 at 8:42
I would like to point out how vastly superior this answer is to the other hashy thing. – Erik Aronesty 18 hours ago
add a comment
Don't punish honest customers with a system meant to prevent hackers, as hackers will crack it regardless.
67
A simple hashed code tied to their email or similar is probably good enough. Hardware based IDs always become an
issue when people need to reinstall or update hardware.
share improve this answer edited Jun 18 '16 at 15:49 answered Mar 1 '09 at 13:45
palerdot schooner
4,120 1 29 36
2,081 8 25 37
37 +1. your comment about not punishing users is spot on. – Mitch Wheat Mar 1 '09 at 13:46
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2 agreed, you don't want to upset the users that are actually purchasing your product! (pay heed m$, apple, etc...) – Jason Mar 1
'09 at 15:02
2 MS, Apple, etc can get away with it as they are big and provide core products that is hard to get elsewhere or have a large market
shadow they can use to force people. The small dev can't. – schooner Mar 1 '09 at 15:38
add a comment
When generating the key, don't forget to concatenate the version and build number to the string you calculate the hash
on. That way there won't be a single key that unlocks all everything you ever released.
50 After you find some keys or patches floating in astalavista.box.sk you'll know that you succeeded in making something
popular enough that somebody bothered to crack. Rejoice!
6 "don't forget to concatenate the version and build number to the string you calculate the hash on" - but won't that make the key
break when the user updates to a minor patch release? – thomthom Sep 24 '15 at 22:17
1 @thomthom How about then to associate a maximum version to a key? The version idea itself is plausible and adds more security
– Marvin Thobejane Oct 27 '15 at 7:05
@MarvinThobejane to associate a max ver you can sign the max ver allowed, and have the code iterate it's version a bit. but no
>= ops allowed in sigs. – Erik Aronesty 18 hours ago
add a comment
Any use of .NET applications are inherently breakable because of the intermediate language issues. A simple
21 disassembly of the .NET code will open your product to anyone. They can easily bypass your licensing code at that
point.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
You can't even use hardware values to create a key anymore. Virtual machines now allow someone to create an image
of a 'licensed' machine and run it on any platform they choose.
If it's expensive software there are other solutions. If it's not, just make it difficult enough for the casual hacker. And
accept the fact that there will be unlicensed copies out there eventually.
If your product is complicated, the inherent support issues will be create some protection for you.
9 +1 for preventing weakness on Hardware values because of Virtual Machines. – Rubens Mariuzzo Jan 2 '12 at 16:36
3 That's what strong-naming for .NET and Authenticode for PE signing is for. If someone has decompiled, modified and rebuilt your
library it won't be signed and the application will simply not run. The .NET virtual machine won't allow it. – Stephen Tunney Jul 30
'15 at 0:01
1 Signing is for validating the origin of the program you will run. If the user dont care about the origin because he know it is modified
and cracked, the cracker would strip out the signature, or even sign it with his own signature. Signing does stop mixing trustable
assemblies with untrustable assemblies. – jesusduarte Feb 19 '16 at 18:37
a mobile app can be used as a jury-rigged hardware dongle for expensive software.... just pay using the app, and embed a
signing key in the app's secure element. then you can activate using the desktop + app... deactivating the other desktop.
colocating some critical section code areas in the app and/or in online homomorphic computation services can help prevent trivial
decompilation. – Erik Aronesty 18 hours ago
add a comment
The C# / .NET engine we use for licence key generation is now maintained as open source:
https://github.com/appsoftware/.NET-Licence-Key-Generator.
10
It's based on a "Partial Key Verification" system which means only a subset of the key that you use to generate the key
has to be compiled into your distributable. You create the keys your self, so the licence implementation is unique to your
software.
As stated above, if your code can be decompiled, it's relatively easy to circumvent most licencing systems.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
share improve this answer edited Jan 20 '15 at 11:35 answered May 9 '13 at 21:21
gb2d
3,533 6 40 81
Would you be willing to do a tutorial for using this product? I found their wiki a bit lacking. – Anthony Ruffino Nov 11 '14 at 19:29
The project has now been open sourced on GitHub if that helps (answer edited with link). – gb2d Jan 20 '15 at 11:36
add a comment
You can only protect software up to a point with any licensing scheme.
6
share improve this answer answered Mar 1 '09 at 13:43
Mitch Wheat
255k 36 406 499
add a comment
but i believe that .net can access the hard drive serial number.
6
you could have the program send you that and something eles ( like user name and mac address of the nic)
you compute a code based off that and email them back the key.
they will keep them from switching machines after they have the key.
4 And keep them from replacing a dead HD amoung other thigns, leading to frustration. There is no easy answer unfortunately, you
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
p p g g g g y y y
need to balance trust with basic licensing mechanicsms. – schooner Mar 1 '09 at 17:55
Worked many years as a software engineer with a product that used the serial number off the hd, it was completely insecure to
those that knew how to update it. – oden Mar 5 '16 at 5:18
I was implying to use this number with other things (mac address, FQDN ) maybe throw them all in a hash. The point is to make it
slightly more difficult to spoof all this data than it is to reverse enginer the software in the first place and remove the check
becuase thats always an option. – Crash893 Mar 16 '16 at 1:05
add a comment
The only way to do everything you asked for is to require an internet access and verification with a server. The
application needs to sign in to the server with the key, and then you need to store the session details, like the IP
4 address. This will prevent the key from being used on several different machines. This is usually not very popular with
the users of the application, and unless this is a very expensive and complicated application it's not worth it.
You could just have a license key for the application, and then check client side if the key is good, but it is easy to
distribute this key to other users, and with a decompiler new keys can be generated.
4 i worked at a company that used an internet based licensing scheme. every time the program started it went online to validate, i
think the company spent more $$ on infrastructure and developers for their licensing solution than they would've lost from piracy
(they were a niche product). – Jason Mar 1 '09 at 15:05
3 furthemore, the technical support costs were huge. many, MANY times a user would legitmately use another computer to try and
run the software but the hash was different which led to massive amounts of tech support. in short, what schooner said - don't
punish honest users. – Jason Mar 1 '09 at 15:07
1 It seems your company was a little overzealous by requiring validation on startup every time. – jugg1es May 12 '13 at 1:44
@Jason, Well, they should up the price of the product. – Pacerier Nov 13 '14 at 18:56
add a comment
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
I've implemented internet-based one-time activation on my company's software (C# .net) that requires a license key that
refers to a license stored in the server's database. The software hits the server with the key and is given license
4 information that is then encrypted locally using an RSA key generated from some variables (a combination of CPUID
and other stuff that won't change often) on the client computer and then stores it in the registry.
It requires some server-side coding, but it has worked really well for us and I was able to use the same system when we
expanded to browser-based software. It also gives your sales people great info about who, where and when the
software is being used. Any licensing system that is only handled locally is fully vulnerable to exploitation, especially
with reflection in .NET. But, like everyone else has said, no system is wholly secure.
In my opinion, if you aren't using web-based licensing, there's no real point to protecting the software at all. With the
headache that DRM can cause, it's not fair to the users who have actually paid for it to suffer.
1 But the main problem with web licensing is that the licensing service becomes a prime target for DDoS attacks.. Which either
paralyze the service or inflate cloud costs. – afk5min Jul 10 '14 at 16:23
4 That's like saying that there's no point in having a website because it's vulnerable to DDoS attacks... – jugg1es Jul 12 '14 at 17:58
@jugg1es Nowhere in his comment did he say "there's no point". He simply pointed out the fact that it's a vulnerability that should
be considered. – Dan Bechard Dec 8 '14 at 14:39
And the checks can still be removed in the client. No check, no webbased licensing... – azarai Dec 26 '14 at 16:03
1 Do you mean actual application code with "required information"? Code that would be necessary to run the app? Otherwise i'd
think it will still result in calling isLicensed check methods in ones code. – azarai Dec 27 '14 at 17:47
Like a few others mentioned, I'm a huge opponent of being hostile to customers by default—something that the
licensing industry is notorious for. So I'll expand on a good solution for your problem that also offers a good customer
3 UX.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
To start off, you mentioned that you have a "limited" version of your software that you're using to try and convert
customers to "upgrade" for additional features. So what you're looking for are feature licenses for your product e.g. a
customer can purchase a license for feature-X or feature-Y.
I built Keygen with this type of licensing in mind. Keygen is a licensing REST API that allows you to manage user
accounts, licenses and also track machine usage/associations.
What I would do is set up 2 license types (a policy within Keygen) where one is a base policy for the limited free version,
and the other is a policy for the paid version.
I'm not sure what you're using for payments, but let's assume you're using something like Stripe (pretty standard
nowadays) that offers webhooks. Keygen also has webhooks (whether you use it or not, all this is still applicable). You
can integrate Keygen to talk with your payment provider using webhooks from both sides (think: customer.created -
>create base license for customer, license.created ->charge customer for the new license).
So by utilizing webhooks, we can automate license creation for new customers. So what about license validation within
the application itself? This can be done in a variety of ways, but the most popular way is by requiring your customer to
enter a long license key into an input field which you can then validate; I think this is a terrible way to handle license
validation in your application.
Why do I think that? Well first off, you're requiring your customer to input a tediously long license key that is meant for
machine consumption, and second your requiring you and your customer to keep track of said tediously long license
key.
Okay, so what's an alternative? I think the best alternative is doing something all of your customers are used to: allowing
them to create an account for your product using an email/password. You can then associate all of their licenses and
their machines with that account. So now instead of inputting a license key, they can simply log in using their
credentials.
What advantage does that give you? Firstly, it gets rid of the need for you and your customers to keep track of license
keys, since it's all handled behind-the-scenes inside of their user account and most importantly: you can now offer your
customers self-serve license and machine activation! i.e. since all of their licenses and machines are associated with
their user account, you can prompt them to purchase a license when they fire up your application on an unrecognized
machine.
Now onto license validation: whenever your customer logs into your application with their email/password, you can
query their user account for the licenses they own to determine if they can use feature-X or feature-Y. And since your
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
application is now self-serve, you can allow your customers to purchase additional features directly from within your
application!
So we've introduced a ton of automation to our licensing system, we can license individual features (i.e. a limited vs. full
version), we've offered an awesome UX for our customers and we've also alleviated one of the biggest reasons for
support requests: license key recovery.
share improve this answer edited May 13 '17 at 20:50 answered May 13 '17 at 20:10
ezekg
488 6 16
add a comment
I'm one of the developers behind the Cryptolens software licensing platform and have been working on licensing
systems since the age of 14. In this answer, I have included some tips based on experience acquired over the years.
3 The best way of solving this is by setting up a license key server that each instance of the application will call in order to
verify a license key.
1. you can always update or block a license key with immediate effect.
2. each license key can be locked to certain number of machines (this helps to prevent users from publishing the
license key online for others to use).
Considerations
Although verifying licenses online gives you more control over each instance of the application, internet connection is
not always present (especially if you target larger enterprises), so we need another way of performing the license key
verification.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The solution is to always sign the license key response from the server using a public-key cryptosystem such as RSA or
ECC (possibly better if you plan to run on embedded systems). Your application should only have the public key to
verify the license key response.
So in case there's no internet connection, you can use the previous license key response instead. Make sure to store
both the date and the machine identifier in the response and check that it's not too old (eg. you allow users to be
offline at most 30 days, etc) and that the license key response belongs to the correct device.
Note you should always check the certificate of license key response, even if you are connected to the internet), in
order to ensure that it has not been changed since it left the server (this still has to be done even if your API to the
license key server uses https)
Most .NET applications can be reverse engineered quite easily (there is both a diassembler provided by Microsoft to get
the IL code and some commercial products can even retrieve the source code in eg. C#). Of course, you can always
obfuscate the code, but it's never 100% secure.
I most cases, the purpose of any software licensing solution is to help honest people being honest (i.e. that honest
users who are willing to pay don't forget to pay after a trial expires, etc).
However, you may still have some code that you by no means want to leak out to the public (eg. an algorithm to predict
stock prices, etc). In this case, the only way to go is to create an API endpoint that your application will call each time
the method should be executed. It requires internet connection but it ensures that your secret code is never executed by
the client machine.
Implementation
If you don't want to implement everything yourself, I would recommend to take a look at this tutorial (part of Cryptolens)
add a comment
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
I strongly believe, that only public key cryptography based licensing system is the right approach here, because you
don't have to include essential information required for license generation into your sourcecode.
2 In the past, I've used Treek's Licensing Library many times, because it fullfills this requirements and offers really good
price. It uses the same license protection for end users and itself and noone cracked that until now. You can also find
good tips on the website to avoid piracy and cracking.
Would public key cryptography necessitate using an online activation service? I mean, if it's not in the source code (I presume you
mean the executable as well), where else could it be? – Dan W Oct 31 '15 at 9:21
No, you don't have to use online activation service. You can generate license files completely offline. – panpernicek Nov 10 '15 at
12:24
The key is in the fact, that you're placing only public key to code, which can't be used for license generation. Only for its
verification. – panpernicek Nov 10 '15 at 15:29
add a comment
It is not possible to prevent software piracy completely. You can prevent casual piracy and that's what all licensing
solutions out their do.
2 Node (machine) locked licensing is best if you want to prevent reuse of license keys. I have been using Cryptlex for
about a year now for my software. It has a free plan also, so if you don't expect too many customers you can use it for
free.
add a comment
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
You can use a free third party solution to handle this for you such as Quantum-Key.Net It's free and handles payments
via paypal through a web sales page it creates for you, key issuing via email and locks key use to a specific computer to
0 prevent piracy.
Your should also take care to obfuscate/encrypt your code or it can easily be reverse engineered using software such as
De4dot and .NetReflector. A good free code obfuscator is ConfuserEx wich is fast and simple to use and more effective
than expensive alternatives.
You should run your finished software through De4Dot and .NetReflector to reverse-engineer it and see what a cracker
would see if they did the same thing and to make sure you have not left any important code exposed or undisguised.
Your software will still be crackable but for the casual cracker it may well be enough to put them off and these simple
steps will also prevent your code being extracted and re-used.
https://quantum-key.net
https://github.com/0xd4d/de4dot
https://www.red-gate.com/dynamic/products/dotnet-development/reflector/download
add a comment
Not the answer you're looking for? Browse other questions tagged c# license-key or ask your own question.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
asked 10 years ago
Linked
Related
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1022 Create Generic method constraining T to
an Enum
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Writing a character who is going through a
civilizing process without overdoing it?
Am I a Rude Number?
question feed
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
STACK OVERFLOW PRODUCTS COMPANY STACK EXCHANGE Blog Facebook Twitter LinkedIn
NETWORK
Questions Teams About
Technology
Jobs Talent Press
Life / Arts
Developer Jobs Directory Engagement Work Here
Culture / Recreation
Salary Calculator Enterprise Legal
Science
Help Privacy Policy
Other
Mobile Contact Us site design / logo © 2019 Stack Exchange Inc; user
contributions licensed under cc by-sa 3.0 with
Disable Responsiveness attribution required. rev 2019.2.28.32961
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD