Search code examples
c#securitywindows-7certificateactivation

Product activation with public key certificate

I need some ideas how to create a activation algorithm. For example i have demo certificate. Providing that the application runs in demo mode. When full version certificate is provided then application runs in full mode. Is it even possible and how would be a good way creating this system?

One simple was i was thinking would be just have a 2 encrypted strings, now when the decryption is succsessful with the demo public key certificate then the application will run in demo mode and etc..

Solution

  • You could do something like:

    1. Generate public/private key pair
    2. As owner of private key, you can sign those "activation certificates" (called AC from now on)
    3. In your app, with public key, you can check if the sign is correct

    As Overbose mentioned -- you can't prevent reverse engineering. In general someone could take functionality and put it in his/hers own app and thus eliminate any possible activation algorithm. So you can only assume (or make) this is hard enough not to be worth the effort (this is the same as for cryptography -- when you make the cost of breaking the message greater then the profit of gaining it you can say it is well secured).

    So you could:

    1. Make executable self-verifying (signed by you, self-checking based on hard-coded public key (one thing: you must skip this value when self-checking)).
    2. Do some tricks with pointers (point to the activation function, go to 7th bit and change value of it for something based on value of another pointer; in some weird places change hard-coded values to those based on occurrence of some bits in other places of the code; generally -- make it more difficult to break than by simply changing bits in executable with hex editor)
    3. Try to make some protocol that your server would use to ask questions about the app ("gimme the value of 293 byte of yourself") and check answers.
    4. Use imagination and think of some weird self-checking method nobody used before :)

    As mentioned -- none of this is secure from cutting the authentication part off. But nothing is and this could make it harder for crackers.