Re: the right place where put a serial number
Re: the right place where put a serial number
- Subject: Re: the right place where put a serial number
- From: Nicko van Someren <email@hidden>
- Date: Fri, 18 Nov 2005 18:08:17 +0000
On 18 Nov 2005, at 13:35, Andrea Salomoni wrote:
After some discussion on this list i would like to explain better
my problem:
I have to put somewhere a serial number for my app, to check if the
software has the right one.
I don't think that keychain is the right place where put it,
because in my keychain there aren't any serial number of my
installed software.
Everyone has some solutions?
This topic has been discussed endlessly before on this list, and
probably on every other list that is frequented by professional
programmers. Here is a summary of the usual points that are raised:
* Software serial numbers only serve to keep honest people honest.
As such there is little point trying to hide the data; the concerted
attacker will find it anyway.
* The fear of getting caught is a good deterrent. As such being able
to remind people that they are using illegal software will usually
help reduce illegal copying.
* Even people who will use software copied from their friends are
frequently unwilling to use binary modifications to that software.
Thus people are usually more likely to copy serial numbers than they
are to bypass the serial number checking system.
* It is important to try to make sure that serial numbers can not be
forged by anyone simply by disassembling your program.
The above principles suggest that one should lean towards using
public key cryptography; pack the users information in a message and
sign it to make a license. Store the license somewhere convenient
(for instance in the user preferences dictionary) and on start-up
check the digital signature and display the information about the
licensed user prominently (e.g. in the splash screen).
The main argument against the above model is usually that public key
signatures are too long to expect the user to reliably key in. This
probably had some merit in the day when license keys were delivered
on bits of paper but these days it is reasonable to expect that (a)
most users will receive their license keys by email and (b) that even
if they do not, they will at least have intermittent connection to
the internet. As such I personally favour the solution of sending
license as email attachments (or even easily extractable encoded text
blocks inside plain-text emails) but also offering the option of
downloading the license file from a server on presentation of an
order number and password. For good measure you might add a check so
that when a new license is loaded up the user is required to confirm
that he or she is the license holder; this serves both to raise the
guilt level (which occasionally will go above the users' threshold
and they might stop there) and also cement a demonstration of intent
to bypass the licensing, which might prove useful later in any action
you take.
Cheers,
Nicko
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden