什么是管理产品密钥为code库的最佳方法是什么? [英] What's the best way to manage product keys for code libraries?
问题描述
像很多现代软件企业,我公司使用产品密钥来检查用户对一个软件有什么合同。在分析产品密钥,我可以检查什么类型的产品的人都有(试用/完整版,等等)。我们希望用户能够从免费版本升级到code库的付费版本,想试用版本检查产品密钥是有效的。
Like a lot of modern software companies, my company uses product keys to check what contract a user has for a piece of software. When parsing the product key, I can check what type of product someone has (trial/full version, etc). We'd like users to be able to upgrade from free versions to paid versions of the code library and want trial versions that check if the product key is valid.
试用版不包含完整版的所有code。产品密钥是使用算法(它不使用Web服务或类似的东西)检查,从而能够非常快的完成。
The trial version doesn't include all the code of the full version. The product keys are checked using an algorithm (it doesn't use web services or something like that), so that can be done very fast.
有两个子问题在这里:
- 从试用版将完整版。我想用微星升级解决这一点,但我不知道如何可以做到这一点。 (使用WIX)
- 在制作一个试用版本,其中包括额外的$ C $下进行检查,如果它是一个试用版。我知道这是可能使用#如果语句,但我想知道,如果它也可能改变一个DLL - 更多precisely:每一个类型检查的试用版本中添加静态构造函数 。
我的问题是:这是正确的方式做到这一点?如果是的话,是实现这种功能的有标准的方式(或工具)?如果没有,是什么这样做的最好方法是什么?
My questions are: is this the right way to do this? And if so, are there standard ways (or tools) of achieving this kind of functionality? And if not, what is the best way of doing this?
更新
感谢所有伟大的答案为止。我认为这是时间来解释更多的情况下,从答案来看的 - 幸运的是它似乎像我们或多或少地在正确的轨道
Thanks for all the great answers so far. I think it's time to explain more of the context judging from the answers - fortunately it seems like we're more or less on the right track.
有关我们的产品是有意义的一个私人(非网络连接),VLAN进行安装,这样就使得产品密钥的路要走...我真的不想去的'手机的麻烦激活像微软那样:-)。因此,建议,我目前使用的加密位的数据,这是解密,看看是否的关键是有效的指定产品的产品密钥。当然,我可能是软件盗版的受害者,但我想我们会考虑,作为一个营销工具现在。
For our products it makes sense to install it on a private (non-internet connected) VLAN, so that makes product keys the way to go... and I really don't want to go to the trouble of 'phone activation' like Microsoft did :-). Therefore, as suggested, I'm currently using product keys that encrypt a bit of data, which is decrypted to see if the key is valid for the given product. Sure, I can be a victim of software piracy, but I suppose we'll consider that as a "marketing instrument" for now.
所建议的答案之一,我目前正在生成多个MSI文件:一个用于x64和一个用于x86的。然后,一个用于试验中,一个完整版的蓝图版本。这使得总共6 MSI文件(pfff)。在这个过程中混淆,强命名和code的签字仪式。蓝图版本包含完整的源$ C $ C。
As suggested in one of the answers, I'm currently generating multiple MSI files: One for x64 and one for x86. And then one for a trial, a full version and a blueprint version. That makes a total of 6 MSI files (pfff). During the process obfuscation, strong naming and code signing takes place. The blueprint version includes the full source code.
我比较关心的试用版本。当然,我可以在这里和那里增加一些检查,但我宁愿只是把支票在每个班级,自动...我想复制所有的CS文件,并添加/更改静态c'tors的(f.ex.使用塞西尔或nrefactory ..或只是一对夫妇正则表达式的...)。它只是在我看来,我不想要这个唯一的家伙。必须有一个更好的办法,对吧?
I am rather concerned about trial builds. Sure, I can add some checks here and there, but I'd rather just put checks in every class, automatically... I've thought of copying all the CS files and adding / changing static c'tors (f.ex. using the cecil or nrefactory.. or just a couple of regex...). It just seems to me that I'm not the only guy that wants this. There has to be a better way, right?
另外,我真的不想去想更新和升级,因为它似乎是重新发明轮子微星。从试用到正式版在我看来,像一个MSI的升级,就像一个完整的版本为蓝本的版本感觉就像一个MSI升级。然而,结合正常的升级,我很担心,如果这是可能的呢?
Further, I really don't want to think about updates and upgrades, because it seems like reinventing the MSI wheel. From a trial to a full version seems to me like an MSI upgrade, just like a full version to a blueprint version feels like an MSI upgrade. However, combined with normal upgrades I'm concerned if this is possible at all?
推荐答案
混合试和生产环境会导致混乱。如果可能的话进行两次单独的安装程序的每个。
Mixing trial and production environments can get messy. If possible make two separate installers for each.
有一些prerequisites使您的保护越强越好:
There are some prerequisites to making your protection as strong as possible:
- 模糊处理code你能买到最好的混淆。
- 取值$ P $垫在code几个关键的地方进行有效的签名支票,不要在启动时检查一次。
- 了解.NET加密API,如非对称加密和 <一href="http://stackoverflow.com/questions/8437288/signing-and-verifying-signatures-with-rsa-c-sharp">signatures
- 请生成产品密钥可以进行逆向工程的头脑, 主要关注的问题,如果您的应用程序是高容量或高价值
- Obfuscate your code with the best obfuscator you can buy.
- Spread the checks for valid signatures in several key places in your code, don't check just once at startup.
- Learn about .NET crypto APIs, such as asymmetric encryption and signatures
- Keep in mind that generated product keys can be reverse-engineered, mostly a concern if your app is high-volume or high-value
方案与启动:
在安装时或一段时间后,你可以要求用户激活您的产品中。在激活时,你可以生成一些组件识别系统中的明文XML文件 - CPU ID,硬盘ID,域名,用户名等发送表示的XML Web服务
Upon installation or within some time after it you can require users to "Activate" your product. When activating you can generate a plaintext XML file with some components identifying the system - CPU ID, HDD ID, domain name, user name etc. Send said XML to your web service.
该服务可以再追加一个随机变量,散列数据一起,并将它与私钥签名,并返回签名和随机标记。
The service can then append a random tag, hash the data together and have it signed with a private key and return the signature and the random tag.
您的客户端软件将有匹配的公钥内置并将本地存储随机标签和签名。
Your client software will have the matching public key built-in and will store the random tag and signature locally.
要检查许可证文件是有效的应用程序会出现乱码的明文数据和随机标记在一起,并检查签名哈希相匹配。
To check if the license file is valid the app will hash the plaintext data and random tag together and check if the signature matches that hash.
这让你决定,如果你的客户端运行时购买,pretty的很多担保的情况下,他们不能仅仅修改XML本身就是一个非常可靠的方法。
This gives you a very reliable way for determining if the instance your client is running is purchased and pretty much guarantees they can't just modify the XML itself.
情景没有激活:
在购买发送一个文件,一些客户数据,如姓名,电子邮件,电话等 - 让有些人因此用户会不愿意分享自己的许可文件。
Upon purchase send a file with some customer data, such as their name, email, phone etc - make it somewhat personal so the user will be reluctant to share their own license file.
包括随机标记和散列所有的数据放在一起。签署哈希,并将其存储在文件中也是如此。
Include a random tag and hash all the data together. Sign the hash and store it in the file as well.
用户必须将文件保存在predetermined位置,或贴在你的应用程序中的文本框里面。
The user will have to save the file at a predetermined location or paste it inside a textbox in your app.
这篇关于什么是管理产品密钥为code库的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
