This week's book giveaway is in the Python forum.
We're giving away four copies of Python Continuous Integration and Delivery and have Moritz Lenz on-line!
See this thread for details.
Win a copy of Python Continuous Integration and Delivery this week in the Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
Bartenders:
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

How to make license key system for my program  RSS feed

 
Ranch Hand
Posts: 37
C++ Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Recently I have create a custom Google Chrome's Extension by using JavaScript files and just load the folder will make the custom extension run.
But I am wondering is there anyway to enforce the program/JavaScript as in license key system?
So far, I only thought that I can use the JavaScript file to check against the system date, but still I can't relevant topic and example algorithms to achieve this.
Please advise. Thanks.
 
Master Rancher
Posts: 1161
18
Firefox Browser Hibernate IntelliJ IDE Java MySQL Database Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just to be clear do you wan't a licence key (like productkey) for your program or a certificate for the server connection (like used for a https connection)?


There are many ways to generate license keys, but very few of those ways are truly secure. And it's a pity, because for companies, license keys have almost the same value as real cash.

Ideally, you would want your license keys to have the following properties:

   Only your company should be able to generate license keys for your products, even if someone completely reverse engineers your products (which WILL happen). Obfuscating the algorithm or hiding an encryption key within your software is really out of the question if you are serious about controlling licensing. If your product is successful, someone will make a key generator in a matter of days from release.

   A license key should be useable on only one computer (or at least you should be able to control this very tightly)

   A license key should be short and easy to type or dictate over the phone. You don't want every customer calling the technical support because they don't understand if the key contains a "l" or a "1". Your support department would thank you for this, and you will have lower costs in this area.

So how do you solve these challenges ?

   The answer is simple but technically challenging: digital signatures using public key cryptography. Your license keys should be in fact signed "documents", containing some useful data, signed with your company's private key. The signatures should be part of the license key. The product should validate the license keys with the corresponding public key. This way, even if someone has full access to your product's logic, they cannot generate license keys because they don't have the private key. A license key would look like this: BASE32(CONCAT(DATA, PRIVATE_KEY_ENCRYPTED(HASH(DATA)))) The biggest challenge here is that the classical public key algorithms have large signature sizes. RSA512 has an 1024-bit signature. You don't want your license keys to have hundreds of characters. One of the most powerful approaches is to use elliptic curve cryptography (with careful implementations to avoid the existing patents). ECC keys are like 6 times shorter than RSA keys, for the same strength. You can further reduce the signature sizes using algorithms like the Schnorr digital signature algorithm (patent expired in 2008 - good )

   This is achievable by product activation (Windows is a good example). Basically, for a customer with a valid license key, you need to generate some "activation data" which is a signed message embedding the computer's hardware id as the signed data. This is usually done over the internet, but only ONCE: the product sends the license key and the computer hardware id to an activation server, and the activation server sends back the signed message (which can also be made short and easy to dictate over the phone). From that moment on, the product does not check the license key at startup, but the activation data, which needs the computer to be the same in order to validate (otherwise, the DATA would be different and the digital signature would not validate). Note that the activation data checking do not require verification over the Internet: it is sufficient to verify the digital signature of the activation data with the public key already embedded in the product.

   Well, just eliminate redundant characters like "1", "l", "0", "o" from your keys. Split the license key string into groups of characters.

For certificate you can use Keytool:
From the directory in which you want to create the key pair, run keytool as shown in the following steps.

   Generate the server certificate.

   Type the keytool command all on one line:

   java-home/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass changeit
   -storepass changeit -keystore keystore.jks

   When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code.

   You must type the server name in response to keytool’s first prompt, in which it asks for first and last names. For testing purposes, this can be localhost.

   When you run the example applications, the host (server name) specified in the keystore must match the host identified in the javaee.server.name property specified in the file tut-install/examples/bp-project/build.properties.

   Export the generated server certificate in keystore.jks into the file server.cer.

   Type the keytool command all on one line:

   java-home/bin/keytool -export -alias server-alias -storepass changeit
   -file server.cer -keystore keystore.jks

   If you want to have the certificate signed by a CA, read the example at http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.

   To add the server certificate to the truststore file, cacerts.jks, run keytool from the directory where you created the keystore and server certificate.

   Use the following parameters:

   java-home/bin/keytool -import -v -trustcacerts -alias server-alias
   -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

   Information on the certificate, such as that shown next, will appear:

   Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA,
   C=USIssuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA,
   C=USSerial number: 3e932169Valid from: Tue Apr 08Certificate
   fingerprints:MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90 SHA1:
   EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:
   Trust this certificate? [no]:

   Type yes, then press the Enter or Return key.

   The following information appears:

   Certificate was added to keystore[Saving cacerts.jks]

 
Well behaved women rarely make history - Eleanor Roosevelt. tiny ad:
ScroogeXHTML 8.2 - easy to use RTF to HTML converter library
https://coderanch.com/t/707504/ScroogeXHTML-RTF-HTML-XHTML-converter
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!