Jan 17, 2012 at 10:02 PM
Edited Jan 22, 2012 at 10:35 PM
Since the ProductKey and ProductLicense are encrypted using your own generated RSA private key, even if someone gain access to the source code, they cannot decrypt the information and hence, they cannot generate new ProductKeys or hack the ProductLicense.
Given said that, the less information the hacker has, the hardest for them to exploit it, so changing some parts of the code could be always a plus, though not necessarily needed. It is also true that a hacker will expend time depending on the benefits they
get. If you are protecting a 1 million dollar license software your system will be potentially more vulnerable :)
There are only a few things to have in mind and not to forget:
1. Generate your own RSA pair key (public and private)
The source code comes with a RSA pair key that needs to be replaced for a new one. The public key will be distributed with your software, but the private key needs to be secret. If by mistake you distribute the private key, everybody will be able to generate
valid product keys.
Please, refer to this question to see how to create a new RSA key.
2. Sign the Activatar.dll assembly
The Activatar.dll assembly needs to be distributed with your application. You need to sign the assembly to avoid tampering. Read below for details.
3. Delay the ProductKey activation
As a good practice, after the server validates and generates the Product License, wait a few seconds until return to the client. This will prevent a brute-force cracking, it is, a hacker trying random ProductKeys to be activated.
Some questions and answer that can clarify security aspects of this system:
Can a hacker build a valid ProductKey?
Since the hacker don't have your RSA private key, it is very very hard for a hacker to break it. If they know how to break a RSA Key they will probably try to hack a Bank transaction better than a product activation :)
Can a hacker try to activate random Product Keys?
Anyone can generate a random Product Key, but only your server, with the private RSA key, can validate it. You can easily detect if someone is trying to activate thousands of fake ProductKeys and put their IP address in a black list. A good practice could also
be to put a delay after the validation (server side).
Can a hacker build a valid Product License?
The Product License is the file that the server sends to the client after activation and contains the information about the activation and if the software is legitimately licensed.
Again, since the Product License information is encoded using a RSA key, it is very very hard to modify it.
Can a hacker try to generate a random Product License?
To generate a random Product License, the hacker needs to create the ActivationInfo with valid information and generate a signature that matches that ActivationInfo. Since the signature is 128 bytes, the possibilities are, for a current computer, almost infinite.
Even if a hacker, with access to the source code, develop a program to generate and validate the ProductLicense, it will take, with some luck, years to get a pseudo-valid ProductLicense. Note also that the RSA algorithm is not especially fast, and takes
more than 1 second to validate 1000 signatures.
Can a hacker overpass the Product License verification?
To understand this question, let’s imagine that the hacker has the source code and compile his own Activatar.dll that always return “Ok” to the verification. Then, replace the real Activatar.dll with the fake one.
Well, there is an easy solution to this scenario. Just signing the assembly will prevent this.
Given said all this, no system is 100% secure and I won't recommend this for a nuclear missile activation :) but I beleave it's not worth for a hacker to crack this system to save a few dollars for a license :)
Please, if you and someone else see any posibility this system can be easily hacked, I will appreciate to be informed.