在Windows注册表中隐藏密钥的最佳位置？ [英] Best place to hide a key in the Windows Registry?

问题描述

我的Delphi程序有一个内置的保护机制来检查互联网上的禁用许可证密钥，如果发现有黑名单的密钥，则向用户显示一条消息。

My Delphi program has a built-in protection mechanism to check for banned license keys on the Internet and displays a message to the user if a blacklisted key is found.

我想将黑名单的密钥存储在注册表中，所以如果用户尝试重新输入（并且他/她没有连接到互联网），则不接受。

I'd like to store the blacklisted key in the registry, so if the user tries to re-enter it (and he/she is not connected to the Internet), it's not accepted.

在Windows注册表中隐藏混淆条目的最佳方式是什么？

What is the best way to hide an obfuscated entry in the Windows registry?

谢谢！

编辑：你们有一些很好的答案，但我觉得我需要扩大这个问题。

You guys have some good answers there, but I feel like I need to expand the question.

这不是主流软件，而是一个公司。客户预付一年并获得一年许可证密钥激活。许可证密钥包括机器ID，不能在其他地方使用。

This is not mainstream software but a corporate one. Clients pre-pay one year and get a one-year license key for activation. The license key includes a machine ID and can't be used elsewhere.

问题是有些客户往往不及时支付或者根本不支付。由于我不想打扰短于一年的许可证密钥（管理费用太多），我需要一种方式才能停用许可证，直到他们付款。

The problem is that some clients tend not to pay in time or they don't pay at all. Since I don't want to bother with shorter than one year license keys (too much administrative overhead) I need a way to disable their licenses till they pay.

所以应用程序现在将在启动时连接到Internet，并检查其密钥是否被列入黑名单。如果是，我需要禁用访问。如果他们重新安装或阻止上网，我需要知道密钥是否已被列入黑名单。

So the app now will connect to the Internet upon launch and check if their key is blacklisted. If it is, I need to disable access. In case they reinstall or block Internet access, I need to know if the key has been blacklisted.

因此，我认为最好将其隐藏在注册表。我的用户没有足够的技术来使用注册表工具来监控注册表，但如果我把它放在HKLM / Software / MyCompany / MyProgram下，有些可能会找到它。所以我需要一个他们以后找不到它已被创建的地方。 （没有人会期待！）

Thus, I'm thinking it would be best to hide it in the registry. My users are not tech-savy enough to use registry tools to monitor the registry, but if I put it under HKLM/Software/MyCompany/MyProgram, some of them might do find it. So I need a place where they can't find it afterwards that it had been created. (Noone will be expecting it!)

任何想法？

推荐答案

隐藏密钥或值的最简单的方法是在名称内创建一个具有'\0'的键/值。您可以对本机函数 NtCreateKey （见 http://msdn.microsoft.com/en-us/library/ff556468.aspx ） NtSetValueKey （见 http://msdn.microsoft.com/en-us/library/ff557688.aspx ），它使用 UNICODE_STRING 作为参数，而不是 LPCTSTR 。您可以在 http://www.codeproject.com/中阅读有关本地注册表API使用情况的更多信息kb / system / NtRegistry.aspx 。您可以在这里找到一个Delphi代码。 http://www.delphi3000.com/articles/article_3539.asp 。

The eaysiest way to hide a key or a value is to create a key/value having '\0' inside of the name. You can do this wth respect of the native functions NtCreateKey (see http://msdn.microsoft.com/en-us/library/ff556468.aspx) NtSetValueKey (see http://msdn.microsoft.com/en-us/library/ff557688.aspx) which use UNICODE_STRING as parameters instead of LPCTSTR. You can read more about usage of native registry API in http://www.codeproject.com/kb/system/NtRegistry.aspx for example. A Delphi code you will find here http://www.delphi3000.com/articles/article_3539.asp.

更新：由于很多人读过这个问题，我想为我的答案添加一些单词。我希望将许可证密钥 中的主题中标题最佳位置，以隐藏Windows注册表中的密钥可以阅读的部分内容。因为我读了一些答案（写在我面前），几乎只涉及许可证密钥的一部分，并且从我写给我的标题的问题上几乎没有回答。

UPDATED: Because many people read this question I want to add some words to my answer. I want divide the part of the question which we can read also in the title "best place to hide a key in the Windows Registry" from the subject with license keys. Because I read some answers (written before me) which concerned almost only the part of license keys and read practically no answer on the question from the title I wrote me answer.

具有许可证密钥的主题我发现非常复杂。这取决于选择的许可模式。重要的是如何生成，分发（安装）和验证密钥。关键应该是硬件依赖吗？它可以是每个计算机一个或每个计算机组一个。密钥生成，密钥安装或密钥验证可以是一些在线服务（也可以是因特网）或者不在那里。我可以继续...有不同的方法的很多方面，优点和缺点。

The subject with license key I find very complex. It depends on the licensing model choosed. It's important how to generate, to distribute (to install) and to verify the key. Is key should be hardware depended or not? It can be one per computer or one per computer group. The key generation, key installation or key verification can be either with respect of some online services (also from the internet) or without there. I can continue... There are a lot of aspects, advantages and disadvantages of different approaches.

所以我决定回答只有主要问题从标题，这是清楚的，并有单独的兴趣。关于许可证密钥的所有其他问题，在我清楚所有要求后，应在单独的问题中讨论。

So I decide to answer only on the main question from the title which is clear and have a separate interest. All other questions about license key should be discussed in my opinion in the separate question after clearing all requirements.

更新2 根据更新的问题在你的情况下，在我看来，使用一些基于激活票的加密签名的场景会更好一些。例如，模式可以如下所示：

UPDATED 2 based on the updated question: It seems to me in your case would be better to use some scenario based on cryptographic signing of an activation ticket. For example the schema can looks like following:

• 您在客户端计算机上安装的软件将需要激活。在激活之前，它不能以非常有限的形式工作或工作（例如，仅启用软件激活所需的一些菜单）。


• 您编写的服务器组件将由客户端在激活以根据从客户端收到的激活请求生成许可证密钥。


• 如果客户支付软件费用，则包括有关客户端机器ID的信息（以任何形式您需要）在服务器上的数据库中。


• 从客户端软件启动激活过程（从菜单开始或以任何其他方式，您想要）收集有关计算机的一些信息，如计算机名称（机器ID），一些序列号或有关硬件或操作系统的其他信息，如果没有新的激活，则无法更改。软件发送到您的服务器的信息（这是激活请求）。


• 服务器验证具有机器ID的客户端是否支付该软件，但尚未激活。然后服务器从客户端发送的信息中计算散列（SHA1，MD5或其他），并使用服务器的私钥（或服务器证书）对响应进行签名。签名的票务服务器将发送回客户端。该票将扮演许可证密钥的角色。


• 服务器可以在签名之前向票证添加任何其他信息。例如，它可以添加关于日期的信息，直到软件有效（例如，当天和一年）。因此，将发送回客户端的机票可以包含输入激活信息和任何其他信息的哈希，所有您想要的。重要的是信息应该被签名。一般来说，您可以将完整的客户端请求作为明文，包含在服务器票据中，而不是包含哈希值，但哈希的使用a）减少票证大小，并且b）使票券更安全一些。


• 每个客户端具有公钥对应于服务器用于签署激活票证的私钥。客户端在文件系统注册表中的任何地方保存从服务器收到的故障单。


• 如果客户端软件将被启动，软件将会读取已保存的激活从注册表（或从文件系统）的票。然后，软件收集相同的信息，用于生成激活票，计算哈希值并将其与保存的票证的哈希进行比较。它验证票据相对于公钥的签名（或者关于服务器的证书）。此外，软件可以验证机票中的任何其他额外的政策信息，直到机票有效之前的时间。

• You software installed on the client computer will need an activation. Before activation it can not work or work in very restricted form (for example only some menus needed for software activation are enabled).
• You write a server component which will be used by client during the activation to generate the license key based of the activation request received from the client.
• If a client pay for the software you include the information about the client's "machine ID" (in any form which you want) in the database on the server.
• After starting of the activation process from the client software (either at the program start of from menu or in any other way like you want) it collects some information about the computer like computer name ("machine ID"), some serial numbers or some other information about hardware or operation system which can not be changed without a new activation. This information the software send to your server (it is the activation request).
• The server verify that the the client with the "machine ID" payed for the software and is not yet activated. Then the server calculate the hash (SHA1, MD5 or some other) from the information send from the client and sign the respond with the server's private key (or servers certificate). The signed ticket server will be send back to the client. This ticket will play the role of licence key.
• The server can add any additional information to the ticket before signing. For example it can add the information about the date till one the software should be valid (for example, current day plus one year). So the ticket which will be send back to the client can contain the hash of input activation information and any additional information, all what you want. Important is only that the information should be signed. In general you can include full client's request as clear text in the servers ticket instead of including of the hash, but the usage of the hash a) reduce the ticket size and b) makes the ticket a little more secure.
• Every client have public key corresponds to the private key used by server for signing of the activation ticket. The client save the ticket received from the server during activation in any place in registry of in the file system.
• Every next time if the client software will be started the software will read the saved activation ticket from the registry (or from the file system). Then the software collect the same information, which are used for generation of the activation ticket, calculate the hash and compare it with the hash from the saved ticket. It verify of cause the signature of the ticket with respect of the public key (or with respect of the server's certificate). Moreover the software can verify any other additional policy information from the ticket like the time till one the ticket is valid.

所有写的是大概只有模式，但它非常简单，而且是可扩展的。您只需要学习如何使用一些简单的加密操作并在您的软件中实现。

All written is a roughly schema only, but it is very simple and it is extensible. You need only study how use some simple cryptographic operation and implement there in your software.

作为一个选项，您可以没有在线服务器，而不是在软件中实现（例如，在菜单中）可能性来生成例如，激活请求和发送电子邮件。然后，您可以离线（!!!）根据服务器请求生成激活票据，并且每个电子邮件将票据发回客户端。一个简单的Reg文件可以通过双击或其他简单的导入方式导入到软件中（剪切和粘贴在激活对话框中）可以终止软件激活的过程。

As a option you can don't have a server online, but instead of that implement in the software (in menu for example) a possibility to generate the activation request and send it per email for example. Then you can offline (!!!) generate an activation ticket based of the server request and send the ticket back to the client also per email. A simple Reg-file which can be imported by double-click or some other simple import possibility in your software (cut & paste in the activation dialog) can end the process of the software activation.

这篇关于在Windows注册表中隐藏密钥的最佳位置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！