Serial Key Check Not Valid Aftermat
Advanced Installer allows you to easily add a serial number protection for your package. There are two types of serial validation each having its advantages and disadvantages: Predefined List and Algorithm Verified.
Important - please note:
Invalid Serial Number or Activation Code when activating Corel trial software. You can check the serial number itself for which software it will work with by looking at the first 2 characters on the serial number. DR – CorelDRAW PR – Painter.
- The Advanced Installer's serial validation DLL is offered as a convenience. It should be replaced with your own, stronger and more secure, validation method.
- The validation done at install time is not the best method of serial protection. The recommended method is the validation done by the application itself after it has been installed.
Predefined List of Serials
In this case, each package will have one or more predefined valid passwords.
Advantage
- When releasing a new version of the product, you can add or delete certain serials without changing the rest.
Disadvantage
- The list is fixed, so for a released version, you cannot change the list, if, for example, the client list grows and you need to add more serials.
Algorithm Verified Serials
In this case the package will check whether that the serials pass a certain algorithm verification. The algorithm uses a special value, called a seed, to identify a group of equivalent serials. Changing the seed invalidates the current group of serials. The seed length and form depend on the length and form of the template.
Advantage
- You can generate a practically unlimited number of serials. More exactly, this number is limited only by the number of combinations of digits and letters that verify the template you have chosen.
Disadvantage
- If a serial has been compromised, you cannot delete it in the next release. For that you would need to change the seed value, thus rendering all other serials invalid.
General Note
While the algorithm itself is reasonably hard to crack, the MSI it is not a secure environment. This means that somebody that tampers with the MSI, using nothing but a specialized editor, like Orca, could rather easily remove the protection.
A possible solution to improve this would be to use the bootstrapping feature in Advanced Installer to mask the MSI. However, this is not a definitive solution since an attacker could spy on the program activities and extract the MSI.
- Serial Number Validation DLL
Example and sample code for developing a DLL for serial number validation.
I have a PHP script that generates some strings which will be used as license keys:
After running the script once, I got these:
Check Not Valid After 90 Days
What I now am trying to do is change it so that I have another function that will check if the key has been generated using my script. Currently, what I am thinking is setting the $key to the MD5 of one specific string (for example, test) but, of course, that returns all the strings the same.
Can anyone help?
ircmaxell5 Answers
Note:
This solution is on the assumption you want your licence key to always be in fixed format (see below) and still self authenticated
If that is not the case refer to @ircmaxell for a better solution
Introduction
Self authenticated serial is tricky solution because:
- Limited Size of Serial
- It need to authenticate it self without Database or any storage
- If private key is leaked .. it can easily be reversed
Example
Output
Please note that any modification in the Options would change the key and make it invalid;
Checking for collision
I just ran this simple test
Output
Better Security
By default the script uses sha1 but PHP has a lot of better hash functions you can get that with the following code
Example
Class Used
There are three basic ways of handling this. How you do it will depend on how many keys you're generating, and how important is may be to be able to invalidate keys at a later day. Which you choose is up to you.
Serial Key Check Not Valid Aftermath
When the server generates a key (like using your algorithm), you store it in a database. Then later all you need to do to check the key is see if it's in the database.
Note that your algorithm needs a lot more entropy than you're providing it. The current timestamp is NOT enough. Instead, use strong randomness:
Or, if you don't have mcrypt:
Or if you don't have mcrypt and openssl, use a library
Note that md5 returns a hex output (a-f0-9), where all of the above return full random binary strings (characters 0 - 255). So either base64_encode() it, or bin2hex() it.
Pros:
- Simple to implement
- Can 'deactive' issued keys at a later date
- Impossible to forge a new key
Cons:
- Requires persistent storage per key
- May not scale that well
- Requires 'key server' to validate keys
Basically, you generate a strong random key (from here out called the private key), and store it on your server. Then, when generating the license key, you generate a random blob, and then HMAC sign it with the private key, and make the license part of that block. That way, you don't need to store each individual key.
Pros:
- Simple to implement
- Does not require persistent storage
- Trivial to scale
Cons:
- Cannot 'Deactivate' keys individual
- Requires storing 'private keys'
- Requires 'key server' to validate keys.
Basically, you generate a public/private key pair. You embed the public key in your application. Then, you generate a key (similar to 'signing keys' above), but instead of signing it with the HMAC signature, you sign it with a private key.
That way, the application (which has the public key) can verify the signature directly without needing to call back to your server.
Pros:
- Simple to implement
- Does not require persistent storage
- Trivial to scale
- Does not require 'key server' to validate keys
Cons:
- Cannot 'Deactivate' keys individual
- Requires storing 'private keys'
What you are actually looking for is an algorithm like Partial Key Validation
See this article for the workings and port it to PHP
Store these keys in a database when you create them.Later match them with the database rows and voila..It will be done
Note that it's not impossible that you will get duplicate keys with this algorithm, it's unlikely, but so is winning the lottery. You will have to store the keys in a database or file to check if it allready exists.