软件许可证密钥是如何生成的? [英] How are software license keys generated?
问题描述
许可证密钥是作为反盗版措施的事实标准.老实说,这让我觉得 (in)Security through Obscurity,虽然我真的不知道许可证密钥是如何生成的.什么是许可证密钥生成的好(安全)示例?他们使用什么加密原语(如果有的话)?是消息摘要吗?如果是这样,他们将散列哪些数据?开发人员采用哪些方法让破解者难以构建自己的密钥生成器?密钥生成器是如何制作的?
对于老式 CD 密钥,这只是制定一个算法的问题,使 CD 密钥(可以是任何字符串)易于生成和易于验证,但有效 CD 密钥与无效 CD 密钥的比率非常小,以至于随机猜测 CD 密钥不太可能获得有效密钥.
错误的做法:
Starcraft 和 Half-life 都使用相同的校验和,其中第 13 位数字验证了前 12 位.因此,您可以为前 12 位输入任何内容,并且猜第 13 个(只有 10 种可能性),导致臭名昭著的 1234-56789-1234
验证算法是公开的,看起来像这样:
x = 3;for(int i = 0; i <12; i++){x += (2 * x) ^ 数字[i];}最后一个数字 = x % 10;正确的做法
Windows XP 需要相当多的信息,对其进行加密,然后将字母/数字编码放在贴纸上.这允许 MS 验证您的密钥并同时获取产品类型(家庭、专业等).此外,它需要在线激活.
完整的算法相当复杂,但在 this(完全合法!) 论文,在德国发表.
当然,无论您做什么,除非您提供在线服务(例如魔兽世界),否则任何类型的版权保护都只是一个摊子:不幸的是,如果它值得任何游戏价值,有人会破坏(或至少规避) CD 密钥算法和所有其他版权保护.
真实正确的做法:
对于在线服务,生活要简单一些,因为即使使用二进制文件,您也需要对其服务器进行身份验证才能使用它(例如,拥有一个魔兽世界帐户).魔兽世界的 CD 密钥算法——例如,在购买游戏时间卡时使用——可能看起来像这样:
<块引用>- 生成一个非常大的加密安全随机数.
- 将其存储在我们的数据库中并打印在卡片上.
然后,当有人输入游戏时间卡号码时,检查它是否在数据库中,如果是,则将该号码与当前用户相关联,以免再次使用.
对于在线服务,没有理由不使用上述方案;使用其他任何东西都可以导致问题.
License keys are the defacto-standard as an anti-piracy measure. To be honest, this strikes me as (in)Security Through Obscurity, although I really have no idea how license keys are generated. What is a good (secure) example of license key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so, what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?
For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one.
INCORRECT WAY TO DO IT:
Starcraft and Half-life both used the same checksum, where the 13th digit verified the first 12. Thus, you could enter anything for the first 12 digits, and guess the 13th (there's only 10 possibilities), leading to the infamous 1234-56789-1234
The algorithm for verifying is public, and looks something like this:
x = 3;
for(int i = 0; i < 12; i++)
{
x += (2 * x) ^ digit[i];
}
lastDigit = x % 10;
CORRECT WAY TO DO IT
Windows XP takes quite a bit of information, encrypts it, and puts the letter/number encoding on a sticker. This allowed MS to both verify your key and obtain the product-type (Home, Professional, etc.) at the same time. Additionally, it requires online activation.
The full algorithm is rather complex, but outlined nicely in this (completely legal!) paper, published in Germany.
Of course, no matter what you do, unless you are offering an online service (like World of Warcraft), any type of copy protection is just a stall: unfortunately, if it's any game worth value, someone will break (or at least circumvent) the CD-key algorithm, and all other copyright protections.
REAL CORRECT WAY TO DO IT:
For online-services, life is a bit simpler, since even with the binary file you need to authenticate with their servers to make any use of it (eg. have a WoW account). The CD-key algorithm for World of Warcraft - used, for instance, when buying playtime cards - probably looks something like this:
- Generate a very large cryptographically-secure random number.
- Store it in our database and print it on the card.
Then, when someone enters a playtime-card number, check if it's in the database, and if it is, associate that number with the current user so it can never be used again.
For online services, there is no reason not to use the above scheme; using anything else can lead to problems.
这篇关于软件许可证密钥是如何生成的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
