locked
Securing Application RRS feed

  • Question

  • Hi I was wondering how can I implement a security system to protect my programs when they are in the market, like for example Windows XP  serials?

     

    Lets say I take out my program Xwidget and they get sold, how can i implement serial numbers, in the program and how can i generate the serial numbers that the software can accept.

    Don't want to depend on third party install generators.

    Or can someone give me direction on how to do this with the Visual studio 2005 Pro install generators, I have depended much on the Clickonce deployment.

     

    Any directions will come in handy and in advance I give thanks to all that can help me.

    Tuesday, June 13, 2006 12:12 AM

Answers

  • Yes of course, a registry entry would be much more secure, if only for the reason that most people wouldn't dare even enter the registry, and those that did would not know how to edit an encrpyted key, or even where to look.

    As for the 10-digit security, you're absolutely correct, a longer number, like 24 digits, would be much more secure and practical. I was just using 10 digits as a simple example.

    Also, I had a question. Do you need to purchase some sort of license to sell programs created with Visual Basic, do you just need to include an advertisement/ splashscreen, or can you just sell them for free?

    Just for the heck of it, what are your other ideas? I'm in a similar situation to you, and I'd gladly accept advice/ ideas on this business of securing finished programs.

    Tuesday, June 13, 2006 12:59 AM

All replies

  • I've been wondering about the same thing as well. One idea that I came up with is to have a separate program that generates serial numbers. The serial numbers would all be different, but would have certain characters that are the same. For example, take the following serial numbers:

    a74f40d7r4

    c8e5d3g7f2

    e64e9fj5s33

    These are all 10-digit numbers. Now, focus on the 2nd and 10th characters in each code. In order for the serial number to be valid, the 2nd character MUST be 6, 7, 8, or 9. Likewise, the 10th character MUST be 2, 3, 4, or 5. This allows for thousands of unique serial numbers that at the same time all share a common "validating" attribute.

    Keep in mind that this system is highly adaptable, so, obviously, the more "validating" character spaces you have, the more secure the key is, however, it also decreases the amount of unique keys that can be generated.

    Now, instead of having the customer enter the key when installing the program, let them install it, and then the first time they start the program, make them enter the key they recieved from you when they bought the software. Next, to prevent the user from having to enter the key every time they want to use the software, once they enter it the first time (assuming it's correct of course), have the program save a simple text file hidden deep inside the hard drive, making it hard to find, that can either store the key itself, or can simply store some piece of information that, when the program checks to see if it exists, knows whether the key has been entered or not.

    If you want to get really fancy, you could also, when the user enters the correct password, have the program first look through on online database to see if that password is already in use. Then, if it's not, you can have the program accept it, and then save it to the online database. This would prevent people from sharing their passwords with others. Keep in mind however, that with this approach, the user would have to have internet access when first starting up the program.

    Anyway, this is just one idea I once thought of. I'll post others here if I discover a more efficient or otherwise better approach.

    P.S. I'm sure you probablly know how to create the key generating program, but just in case; you would have a simple program that goes through each of the 10 (or however many characters are in the keys you use) characters in the code, and generates a random letter or number for it, adding it to a string. Then, you could simply make sure that, using the example above, if the program gets to character 2, it must randomly select either 6, 7, 8, or 9. The same would be done with the character 10, with a random value of either 2, 3, 4, or 5.

    Also, if you want this system to work with the online database method I described above, the program would create a key, and then search through the database of codes to make sure it's not already in use, whereby it would then add it to the database. This program could also be integrated with another program that keeps track of the email addresses of customers that have purchased the software, and could even be automated so that once the key has been generated, it can then be emailed to the person.

    Tuesday, June 13, 2006 12:39 AM
  • Good idea blabus, I was thinking instead of having it in a file somewhere in the harddrive, how about using the registry and save it encrypted, let's say the serial number or a frase like valid or full or something like that to notify the program that it's valid.

    The idea of the 10 digit alfanumeric code, sound good, but how about instead of 10 lets say 24 or "N" according to the level of security, having more validating attribute according how the number of digits there are in the code.

    I have some other ideas, but not sure it they will work.

    Thanks for that info Blabus, hope to seen you soon, got 3 projects pending because have no idea how to secure it.

    Any more info would be apreciated by anybody,

    Tuesday, June 13, 2006 12:48 AM
  • Yes of course, a registry entry would be much more secure, if only for the reason that most people wouldn't dare even enter the registry, and those that did would not know how to edit an encrpyted key, or even where to look.

    As for the 10-digit security, you're absolutely correct, a longer number, like 24 digits, would be much more secure and practical. I was just using 10 digits as a simple example.

    Also, I had a question. Do you need to purchase some sort of license to sell programs created with Visual Basic, do you just need to include an advertisement/ splashscreen, or can you just sell them for free?

    Just for the heck of it, what are your other ideas? I'm in a similar situation to you, and I'd gladly accept advice/ ideas on this business of securing finished programs.

    Tuesday, June 13, 2006 12:59 AM
  • About the question about the license I can't say for sure, but I guess as long as you purchase and original software, I thinks it's royalty free, can't say for certain, I use Visual Basic Express, and I got Visual Basic 2002 Standard, but sometimes I can go to my old school and do the compilation on the studio they have just to make the executable. When you create some software you are protected by certain laws about copyright and trademark even if you don't register, Its like writting your own book,  but in code you get protected by law.

    Some ideas I have are but not sure how to do them.

    dll activation, means if the code in the registry is not correct, after it decrypts or looks for a activation code, it won't assign the correct class members so, doesn't activate anything.

    this one is kinda iffy and very long. I was thinking is there a way to read the serial number, lot number and disk number of the CD, because these are unique even if you do a disk copy, well not the serial number, but the other two are, so reading these you hard code it in the program, the problem is that you would have to recompile for other disks and if the code does not match the info on the CD, it just wont install.

    that the program generates and compiles an dll based on the registration info of the product, togheter with the info of the particular machine, and it's read by the main code and process the information.

    these are just some ideas, not sure how to do this but, still learning, I'm still searching how to create a password recovery program for zip, using brute force and dictionary attacks, the dictionary attacks well got the idea of loading, but the brute force and how to send that info to be able to check the zip encrypted password, have none.

    Got other projects also in mind, but don't really know how to start them.

    So I guess little by little.

    Maybe I should just research on how to apply the quantum bit in the programming, jejeje.

    Well take it easy any other info that you can give will be apreciated.

    Tuesday, June 13, 2006 5:00 AM