Security for my program

Vb Gangsta

Freshman
Joined
Aug 31, 2003
Messages
27
Hi, I am ready to release my program but I want to protect it so people cant trade it over the internet. I only want it to run on one computer which is the first one that runs it.
 
Gangsta -


How to protect your application against pirating with Product Keys and Application Activation.

This is how to confine your app to one machine without using a hardcode DLL for each user:

This involves using Asymetric Cryptography.

Find the hardware specs of your machine.

Serialize the Specs.
Serialize the Product Key.

SHA1 Hash the two strings.

Send it to your Activation Web Service

Your Web Service:
- Confirms the Product Key.
- Ensures no other Hardware Hashes are associated with that key.

- Encrypyts a response with the hashcode in it using their private key.

Your application saves the response to the application directory to be checked everytime the application is launched.

The Application Decrypts the information using your public key.

If the application can decrypt the info and the hardware hash code matches, then voila@, the application is authorized.



Hope this helps.
 
First off i want to thank you for that response. It was most helpful but I have a couple of further Questions.

1. Is it possible for anyone to Hex out the serial and Hardware specs check or is it to complicated?

2.What Hardware specs do i check for?

3.and about the Activation Web Service can i make that my self useing html or something and can I use a freeweb service?

4. Can anyone create a keygen for it?

And I am not sure how to do most of the things you posted but I am going to research it because I could not stand to see all my hardwork being passes around the internet for Free. Again Sorry for all the Questions.
-Rob
 
Gangsta,

Yes, if you get a hash of the hardware specs and then the user changes them the program will not run.

This is the whole point. You want to detect if the user is installing the program on another system. You might want to make sure there is a handy dandy customer service email and phone number for those people who want to move the application to antoher machine or do major upgrades to their system.

Just take a snapshot of system information that usually doesn't change. Such as:
- Motherboard
- Primary Hard Drive
- Floppy Drive Model

You can get this information from the - Programs - Accessories - System Tools - System Information Tool...

There are some hardware identification keys in the registry that you can pull programitically if you need to. Also, I thought that the System Information utility had some exposed interfaces that you can access.... (I have usually done this type of thing through bios, but I am sure the Windows APIs would be much simpler to use.)


The Activation Web Service that I spoke of is very easy to make. Just make sure you have a working primary and public key pair.

To digitally sign your application us. sn -k to generate a key pair.
use the private key to sign your application. In the AssemblyInfo.vs file in your project, there is an attribute that you use to point to your key file.

[assembly: AssemblyKeyFile("\mykey.snk")]


Honestly, digitally signing your assemblies is not the hard part. (remember, this only ensures that your code can't be changed. Not pirated.) By digitially signing your app, you ensure that someone can not change your piracy protection code.


The hard parts are getting the hardware specs from the system.


Remember the steps:
[The client ]
- Get hardware specs of system.
- Serialize it. (Turn it into a string.)
- Run a sha1 hash on it. (.NET Cryptography namespace)
- Accesses Activation Web Service and submits product key and hardware hash.

[Activation Web Service]
- Confirms validity of product key
- Ensures that that the product key is not already assiciated with another hardware hash in the databae, (xml file?)
- Associates product key with hardware hash code in the database.
- Digitally signs an "Activation Response" response containing the Hash and Product Key.

[Client]
- Saves Response to application folder.

[Client upon startup]
- Looks for an "Activation Response" on the hard drive. (If not prompts the user for activation.)

- Verifies the "Activation Reponse" by:
1. Validating the digital signature by comparing it with a public key stored with the application or over the Internet.
2. Verifies the hash stored in the "Activation Response" with the actual hash of the system. This is done every time. This is essentially scanning for hardware changes.

- If everything is verified, then the application launches. (There might be a grace period to all for people who don't have internet access and have to activate by phone.

Hope this helps. You can do searches for almost everything I typed on google if you want a second opinion or cool ways to access hardware configuration information.

Hope this helps.
 
Back
Top