产品密钥的实现 [英] implementation for product keys
问题描述
我正在用 C 语言实现一个小应用程序,我想稍后以合理的价格将其作为共享软件出售.它将以 30 天的试用期开始,我已经非常确定如何实施它.
I'm implementing a small application in C, which I would like to sell as shareware for a reasonable price later on. It will start of with a 30-day trial, which I am already quite certain of how to implement it.
不过,我遇到的问题是我不太确定如何实施产品密钥验证.我的想法是客户可以在我的网页上注册(试用产品一段时间后),为产品付款,并通过 e 以 aaaaa-bbbbb-ccccc-ddddd-eeeee-mail(或者可以通过他在我网站上的个人资料获得).到目前为止没有问题.然后他/她将密钥放入我的应用程序中相应的键字段中,然后boom 应用程序就被注册了.
The problem I have, though, is that I am not quite sure how to implement the product key verification. What I have in mind is that the customer can sign up on my webpage (after trying the product for a while), pay for the product, and get a product key in the form of aaaaa-bbbbb-ccccc-ddddd-eeeee via e-mail (or maybe available via his profile on my website). No problem so far. He/She then drops the key in the appropriate key fields in my app and boom the app is registered.
据我目前收集到的信息,人们为此推荐 AES 或 RSA.老实说,我在大学的另一个方向(不是密码学)和我上过的一个密码学课程是前一段时间.但据我所知,AES是一种对称加密算法,这意味着我只有一个密钥用于加密和解密,对吗?然后我怎么能生成数千个产品密钥并仍然在我的应用程序中验证它们(顺便说一下,它不需要互联网访问......所以不用服务器检查)?
From what I could gather so far, people either recommend AES or RSA for this. To be honest, I in another direction in college (not cryptography) and the one cryptography class I took was some time ago. But from what I remember, AES is a symmetric encryption algorithm, which would mean that I would only have one key for encryption and decryption, right? How could I then generate thousands of product keys and still validate them in my app (which by the way won't require internet access....so no checking back with a server)?
所以我猜 RSA 会是要走的路?但是 RSA 不会产生很长的密钥(至少比上面要求的 25 个字符长)吗?
So I guess RSA would be the way to go? But doesn't RSA produce pretty long keys (at least longer than the required 25 characters from above)?
在另一个线程我读到有些产品甚至不会对产品密钥生成/验证使用加密,而是只使用一些检查,例如添加 2. 和 17. 字符,这应该总计为 x".
In another thread I read that some products won't even use encryption for the product key generation/verification, but instead just employ some checks like "add the 2. and the 17. character and that should total to x".
去这里最快、最简单、最安全的方式是什么?:-) 代码示例就是糖!
What's the fastest, easiest and most secure way to go here? :-) Code samples would be sugar!
问候,
塞巴斯蒂安
PS:哦...请不要告诉我我的密钥会如何并且会在某个时候被破解.....我知道,这主要是我不想花很多钱的原因解决这个问题的时间,但同时不要让偶尔的破解者太容易.
P.S.: Oh...and please don't tell me how my key can and will be cracked at some point.....I know about that, which is primarily why I don't want to spend a lot of time with this issue, but at the same time not make it too easy for the occasional cracker.
推荐答案
对称算法是有限的,因为任何具有反汇编程序的新手破解者都可以找到您的密钥(或用于生成密钥的算法)并制作密钥生成器".
Symmetric algorithms are limited, in that any novice cracker with a disassembler can find your key (or the algorithm used to generate one) and make a "keygen".
出于这个原因,非对称密码学是要走的路.基本前提是这样的:
For this reason, asymmetric cryptology is the way to go. The basic premise is something like this:
- 当用户从您那里购买许可时,您会收集有关用户和/或其环境的某些识别详细信息(通常,这只是一个全名;有时也包括公司).
- 您对该信息进行 128 位 MD5 哈希.
- 使用 128 位 Elliptic Curve 加密,使用 private 加密此哈希 键在服务器上.
- 128 位密文可以向用户表示为由字母和数字组成的 25 个字符的字符串(加上分隔破折号以提高可读性).请注意,26 个字母 + 10 个数字 = 36 个离散值,并且 36^25 > 2^128.
- 用户在您的注册对话框中键入此产品密钥.客户端软件将其转换回 128 位数字(16 字节),使用您的 EC 加密的公钥对其进行解密,并将结果与用户个人信息的 MD5 哈希值进行比较,该哈希值必须与用于注册的信息相匹配.
- When the user purchases a license from you, you collect certain identifying details about the user and/or their environment (typically, this is just a full name; sometimes a company, too).
- You make a 128-bit MD5 hash of this information.
- Using a 128-bit Elliptic Curve crypto, encrypt this hash using the private key on the server.
- The 128-bit cipher text can be represented to the user as a 25-character string consisting of letters and digits (plus separating dashes for readability). Notice that 26 letters + 10 digits = 36 discrete values, and that 36^25 > 2^128.
- The user types this product key into your registration dialog. The client software converts it back to a 128-bit number (16 bytes), decrypts that using the public key of your EC crypto, and compares the result to an MD5 hash of the user's personal information, which must match what was used for registration.
当然,这只是基本的想法.有关更多详细信息和源代码,请参阅 基于椭圆曲线密码术的产品密钥.
This is just the basic idea, of course. For more details and source code, see Product Keys Based on Elliptic Curve Cryptography.
这篇关于产品密钥的实现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
