Re: licence key validation method
Re: licence key validation method
- Subject: Re: licence key validation method
- From: Uli Kusterer <email@hidden>
- Date: Sat, 10 Jan 2015 15:29:33 +0100
On 10 Jan 2015, at 10:33, sqwarqDev <email@hidden> wrote:
> I'm not looking for anthing fancy. The simplest implementation will do, and an idiot's guide on how to do it would be ideal, but any pointers from anyone that's done this recently would be hugely appreciated.
Really, all you need is any asymmetric encryption/signing library. I think these days that would be Security.framework. So any tutorial on encrypting and validating messages will do.
What you do is you generate a private and public key pair, then create a bit of data (e.g. a PList) that contains all the Info that you need for a valid license (e.g. user name, number of seats, major version of the app this is for, expiration date for demo licenses, and usually some sort of counter that you just increase by one whenever you generate a license, so you can tell apart various licenses bought by the same person, or people with the same name).
Once you have this PList, you encrypt it (using your private key). You include your public key in your application, and the license-checking code simply decrypts the PList using that. You only get a valid PList out if the matching private key was used to encrypt it, so you now know that this is a real license generated by you, and can look at the PList entries to see what the user is allowed to do etc.
A few notes and caveats:
1) Copy-paste the public key into the source code, don’t include it as a file, so people can’t just replace that file too easily. XOR an arbitrary value onto it to make it harder for people to just fire up HexEdit and search for “RSA key start” or whatever and replace that with a key they generated.
2) Beyond #1, it’s not really worth trying to protect against binary patches. You can binary patch away everything (At worst a hacker could patch out Security.framework), so whatever you do, hackers can break it. But anyone who runs a binary patch runs untrustworthy code on their machine and is probably catching a virus anyway. The thing you need to protect from are key generators, which you have by using a decent-size RSA key (until Quantum computers become common enough that people will just Shor away any RSA keys, at least). Keep your private key safe and you should be fine.
3) The amount of data you put in your key is directly related to the length of the key. So if you use a PList, you’re pretty much forced to have a key file. If you need users to copy the key as a string, make the real key a struct and choose smaller data types, so you get a shorter key.
Hope that helps.
Cheers,
-- Uli Kusterer
“The Witnesses of TeachText are everywhere...”
http://zathras.de
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden