Presentation on theme: "Keygens, Protection, Encryption Panel Registration Key Considerations (SIC 2001) Chris Thornton Thornsoft Development, Inc."— Presentation transcript:
Keygens, Protection, Encryption Panel Registration Key Considerations (SIC 2001) Chris Thornton Thornsoft Development, Inc.
Why use registration keys at all? Theyre so convenient! Both for us, and for the customer. –No special URLS to remember –Easy to rebuild system after system rebuild. Registered Version can be traded anyway. Will be increasingly problematic with Napster/Wrapster/Gnutella, IRC, etc., technology. (OOPS! Last years slide!)
Anti-Cracking The crackers will still crack you. Thats just the way it is. But if a user has to sift through 5 old non- functional keygens or published crack keys, they may decide that $20 isnt so much to ask after all! Goal: Make the crack experience less enjoyable for the crack users.
Techniques Sprinkling –Spread the checks into various places in the program. Time Bombs Use Message In A Bottle technique Compression / Obfuscation And….
Partial Key Verification Dont give the cracker enough information to build a complete key. –They can only build a keygen against what they see in the program. So, leave some of the checks out, and add them back into future releases. Each release only checks part of the key (Details on next slide) Each release of your software requires crackers to make a new keygen. Users arent impacted, as their keys have all correct digits.
Example of obsolete keygen.
The Mechanics I use If SampleKey = UserKey then Registered=True algorithm. (standard stuff) To generate the SampleKey, first, I generate 10 decoy digits, from the users name. –Ex: for i := 0 to 9 do RegKey[i] := (Ord(CleanString[i]) * 2) Mod 10; Then, in the positions that Im actually checking, I overwrite the decoys with digits generated by the actual algorithm, leaving decoys in the unchecked digits. –Ex: RegKey := ((Ord(CleanString)*3) - Ord(CleanString)) Mod 10;
Mechanics (cont) In the previous example, the middle 5 digits are not checked. I dont check the decoys. In the next release, Ill add another digit, and take one more away. Forged keys can now be detected. Forged keys generate an error message, and invite the user to read more about the error at our web site. The target page logs their IP address, the name/key that was used, and the date/time. Future versions may not ask permission... But my customers keys, generated with all correct digits, will be just fine.
Reality Check 3657 visits to my naughty pirate page during the past month (June 17-July ), or avg 121/day. Next version wont ask permission after 3rd violation - it will just bring up the web page automatically. Next version will shut down completely after 5th illegal use. I am considering a more friendly message and page. (honey vs. stick) I am seriously considering using stronger encryption in ClipMate 6.