![]() So the ticket which will be send back to the client can contain the hash of input activation information and any additional information, all what you want. For example it can add the information about the date till one the software should be valid (for example, current day plus one year). The server can add any additional information to the ticket before signing.This ticket will play the role of licence key. The signed ticket server will be send back to the client. Then the server calculate the hash (SHA1, MD5 or some other) from the information send from the client and sign the respond with the server's private key (or servers certificate). The server verify that the the client with the "machine ID" payed for the software and is not yet activated.This information the software send to your server (it is the activation request). After starting of the activation process from the client software (either at the program start of from menu or in any other way like you want) it collects some information about the computer like computer name ("machine ID"), some serial numbers or some other information about hardware or operation system which can not be changed without a new activation.If a client pay for the software you include the information about the client's "machine ID" (in any form which you want) in the database on the server.You write a server component which will be used by client during the activation to generate the license key based of the activation request received from the client.Before activation it can not work or work in very restricted form (for example only some menus needed for software activation are enabled). You software installed on the client computer will need an activation.For example the schema can looks like following: UPDATED 2 based on the updated question: It seems to me in your case would be better to use some scenario based on cryptographic signing of an activation ticket. ![]() All other questions about license key should be discussed in my opinion in the separate question after clearing all requirements. So I decide to answer only on the main question from the title which is clear and have a separate interest. There are a lot of aspects, advantages and disadvantages of different approaches. The key generation, key installation or key verification can be either with respect of some online services (also from the internet) or without there. Is key should be hardware depended or not? It can be one per computer or one per computer group. It's important how to generate, to distribute (to install) and to verify the key. It depends on the licensing model choosed. The subject with license key I find very complex. Because I read some answers (written before me) which concerned almost only the part of license keys and read practically no answer on the question from the title I wrote me answer. I want divide the part of the question which we can read also in the title "best place to hide a key in the Windows Registry" from the subject with license keys. UPDATED: Because many people read this question I want to add some words to my answer. You can read more about usage of native registry API in for example. You can do this wth respect of the native functions NtCreateKey (see ) NtSetValueKey (see ) which use UNICODE_STRING as parameters instead of LPCTSTR. The eaysiest way to hide a key or a value is to create a key/value having '\0' inside of the name. So I need a place where they can't find it afterwards that it had been created. My users are not tech-savy enough to use registry tools to monitor the registry, but if I put it under HKLM/Software/M圜ompany/MyProgram, some of them might do find it. Thus, I'm thinking it would be best to hide it in the registry. In case they reinstall or block Internet access, I need to know if the key has been blacklisted. So the app now will connect to the Internet upon launch and check if their key is blacklisted. Since I don't want to bother with shorter than one year license keys (too much administrative overhead) I need a way to disable their licenses till they pay. ![]() The problem is that some clients tend not to pay in time or they don't pay at all. The license key includes a machine ID and can't be used elsewhere. Clients pre-pay one year and get a one-year license key for activation. This is not mainstream software but a corporate one. What is the best way to hide an obfuscated entry in the Windows registry?Įdit: You guys have some good answers there, but I feel like I need to expand the question. I'd like to store the blacklisted key in the registry, so if the user tries to re-enter it (and he/she is not connected to the Internet), it's not accepted. My Delphi program has a built-in protection mechanism to check for banned license keys on the Internet and displays a message to the user if a blacklisted key is found.
0 Comments
Leave a Reply. |