Feb 27, 2015 at 4:01 PM
Edited Feb 27, 2015 at 5:00 PM
First of all, are you Swedish? I am Norwegian ;) Nice to meet you and thanks for sharing your work.
I have created a C# program I would like to add license key support for and had a quick question regarding SKGL:
Does SKGL not use the Private / Public key approach? With my limited knowledge of cyber security I might have misunderstood, but I was thinking ideally, in your GUI, you would have a button to create a public key and a corresponding private key. The public
key would be what you call secret phrase, and can be created based on my MAC address, user ID, program version, and a few other machine/user-specific information. The idea is that if the licence key is generated based on the private key, it can only be validated
with the public key, and vice-versa. So, we can safely store the public key in the application, without having to worry about someone reverse engineering the app, searching for strings, and finding the secret phrase (thereby enabling them to create as many
keys as they want, on their own). With the approach I had in mind, only the person holding the private key, can create license keys that can be validated with the public key stored in the application.
What do you think? Let me know if I am just confused or if it makes sense at all hehe.
Thanks a lot!
PS: Tiny point, but I think there might be a typo in your Documentation article "using features to solve problems". Towards the bottom of the first code block, where you set features for a time-unlimited key, the comment says it is time-limited.
Mar 1, 2015 at 8:22 PM
Nice to meet you! :) Partly, (I'm a Swedish-Russian).
Yes, you are right. Public key cryptography is better because it will not allow the client (if the "password" is found) to generate new keys. I have worked on two ways to solve this:
The advantage of a web server is that the user does not have access to key generation at all, so the keys can almost have any shape. On the other hand, when Public key cryptography is used, no internet connection is needed.
How it is solved using a web server
The cloud service I am currently developing has the ability to perform things like activation (making sure only a certain number of machines use a key) and also offline activation (that is, even if it is a cloud service, it's possible to activate using
that are digitally signed using RSA by the server).
If you are interested, please check out this tutorial:
(sorry if it is a little bit messy, it's still a draft) and a list of functions:
. NOTE, this is a subscription based service.
Public private key approach
I've started working on an improvement to SKGL that will incorporate this technique. I really want to implement ECDSA, but we will see. Right now, it's difficult to tell the time it might take.
The typo is now corrected. Thank you!
I would love to use the new offline version you are working on, when ready. I think it would be really useful to a lot of developers. I guess the trick is to be able to make an algo that has the time limit and all that info encoded in the license key,
but in addition use a different key for decryption and encryption.