Win a copy of React Cookbook: Recipes for Mastering the React Framework this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

Best 3rd Party Libraries for Secure Key Generation?

 
Ranch Hand
Posts: 229
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What are the leading (preferably open source or very inexpensive) libraries for serial number / key generation?

What I am looking for should have:

1. Something that is secure, unique, and generates alphanumeric keys.

2. Is something very fast and efficient.

3. Has the capability to handle multiple input seeds.

Thanks!
 
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there any reason not to just use OpenSSL?
It works on all important platforms, is well judged as secure.

I would not try to do key generation in Java as its very computationally intensive. Even with great optomizing JVMs, its going to be faster to just exec out and use OpenSSL
 
James Dekker
Ranch Hand
Posts: 229
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't understand what you mean by suggesting using OpenSSL for a key generator.

Am looking for something which generates alphanumeric keys (when you install a CD and it asks you to type in a Product Key).

Is there an inexpensive or 3rd party product (which can be integrated by using Java) specializing in Key Generation?

Something like:

http://www.bouncycastle.org/java.html
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You have to understand Pat is degreed in the matter with decades of field experience , much of it directly crypto related. Show him mercy, he is 153788, much later than you. ( joke from another area of the ranch )

How strong do you want your keys? Do they have to be strictly 'a'-'z' && A-Z or can they range over wider values? Can they be stored as binary bytes or does the user have to copy the keys somehow and remember them?

java.lang.Math

About dot com discussion of Math dot random

It is not hard to write a name generator that will provide lengthy strings that are relatively useable for what you have in mind but you will get a lot of feedback from those who have studied crypto that such and such cryptographic encipher has such and such weakness when the weakness of the subscriber far exceeds the weakness of the crypto package.

In general, Java has a SecureRandom class that is of use in cryptographic strength efforts but trying to use it on platforms that do not natively support advanced cryptographic work gets into brand specific issuse such as 'minor differences in the clocking of two oscillators' that just sorta gets blanks startled looks from too damn many users.

On the other hand there are people who have no greater joy than breaking a cryptographic cypher and get exicited when they see a real crypto key.

Is this a student or independent study project? Do you have any investment to protect?
 
James Dekker
Ranch Hand
Posts: 229
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the info, Pat and Nicholas!

For a personal project, I need to write a KeyGenerator (using Java) to generate Product Keys (kind of like what you see on CD when you install software).

Question(s):

(1) Is it a jar file which I can use to write a Key Generator or is it a command line utility?

What I need is something which is very fast and supports Java integration...

(2) What are the serial numbers going to look like if I SSL encrypt the seeds?

I need the serial numbers to look like serial numbers and they all need to be of the exact same length.

(3) Will I get this if I decide to pass a timestamp and possibly some type information as a key into an SSL encryption tool?

Thanks for the assistance,

James
 
Pat Farrell
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by James Dekker:
For a personal project, I need to write a KeyGenerator (using Java) to generate Product Keys (kind of like what you see on CD when you install software).



Most of the time, these keys are not used to encipher the executables.

If you really are looking for copy-protection, you should say so.
In general, real copy-protection is really hard, and you are unlikely to invent something that is going to work. As Nick said upthread, there are people who take amazing joy in hacking systems. If you don't get it right, it won't do what you want.

All you have to do is look at the attempts at copy-protection in DVDs.



(1) Is it a jar file which I can use to write a Key Generator or is it a command line utility?



I'm not sure you really want a key generator. The OpenSSL code is a command line utility, but you can always wrap it in some utility code so it looks like a Java API.



(2) What are the serial numbers going to look like if I SSL encrypt the seeds?



SSL is not suitable for what you want. OpenSSL implements many ciphers.
SSL is for dynamic communications over HTTP.


(3) Will I get this if I decide to pass a timestamp and possibly some type information as a key into an SSL encryption tool?



You can pass arguments to anything, shell or not.
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by James Dekker:
Thanks for the info, Pat and Nicholas!



I have thrown Pat some trick questions and it is unusual the Mastery with which he handled them. I second all of Pat's post as given.

What is it exactly you want to do? It sounds like you are considering primary controls for a deployment. Good level of work for first pass but to split some nuances Pat and I need to know if this is an actual deployment or a study work. ( formalized or not ) If it is a study work, do you intend to continue into real-world work in computer science or any related area of commercial endeavor. If it is a real deployment, how much skin have you lost on real pavement?

Not a trick question except that it is tricky to guage my intent. Don't try to do that, just answer straight up.
 
James Dekker
Ranch Hand
Posts: 229
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nicholas,

Its for a formal academic project that I am working on...

I am newbie when it comes to implementing security when it comes to Java!

What I am seeking is a way to make alphanumeric product keys / serial keys which can handle multiple seed inputs through a Java program. The generated keys need to be all of the same length.

For example (whether generated by a timestamp or a standard String):

Generated Key:

AAA838301103482828
94848482AAABB11111
33000188GGGGTTKKKK

What I need is the software component that I am writing to have integration capability with the rest of my Java app (which would be deployed via a WAR or EAR file).

After considerable research, I think that openssl would not be a viable solution because the Java program has to launch a native command line to use it. And the target deployment environment has to have it (openssl) installed. This does raise portability issues.

I am leaning now more towards JCE and / or Bouncy Castle. From my research, I discovered that Bouncy Castle is just a reimplementation of JCE outside of Sun.

The problem with Sun's JCE is that the KeyGenerator component might not work on IBM's JVM (e.g. WebSphere).

I'll try writing the KeyGenerator using Sun's JCE and Bouncy Castle and if run into any new problems, I'll most likely create a new thread on JavaRanch's Security Forum.

Let me know what you think! Am analyzing this too much?

Thanks for the excellent discussion guys!

James
 
Pat Farrell
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Bouncy Castle implementation is good. It exists mostly because of the idiotic ITAR laws in the US in the early 90s. For some reason, the US Department of Commerce (really NSA) made it illegal to export strong crypto software from the US.

The essentially assumed that there are no competent programmers outside the US. Even when they were shown that it was stupid, they kept it up.

Now, strong crypto can be used be serious folks, breaking the German ciphers in World War 2 was critical in the Battle of Brittan. So there is a little merit in their position. But mostly it was political fantasy with serious implications if you happened to be a US resident working with crypto.

This stuff is not actually all that hard once you wade through the documentation, which is often opaque. I think some of the bad documentation is a result of the unhelpful political policies.
 
Nicholas Jordan
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by James Dekker:
(...snip...)Let me know what you think! Am analyzing this too much?

Thanks for the excellent discussion guys!

James



Routine traffic, I second Pat's response with a simple glance. Keys ten thousand times stronger than your keys are routinely broken as an introductory exercise in some undergraduate courses. See Donald Knuth, Special Algorithm 'K'

Your level of analysis is exacly midpoint of the bracket of analysis depth that I needed to be effective and relaxed. You made this a one-round work.
 
James Dekker
Ranch Hand
Posts: 229
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pat & Nicholas,

After extensive research, I contacted the Bouncy Castle mailing list and asked them if there was a way to build a key generator (even showed them my code) from this posting.

"We don't have a UUID generator though - you'd have to write one yourself."

I can't believe that that Bouncy Castle doesn't have this?!

Thanks for all of your help and also the discussion,

-James
[ April 20, 2008: Message edited by: James Dekker ]
 
Ew. You guys are ugly with a capital UG. Here, maybe this tiny ad can help:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic