Product Keys

I had an idea on how to create and validate product keys via
online activation. I wondered whether the EXPERT PROGRAMMERS of /prog/
could spot an obvious weakness in it.
Decription follows.

Generating the product key:

1. Generate a secure random 256-bit integer S.
2. Generate four 32-bit integers P_0-3 with the following properties:
2a. P₀ contains 32 flags indicating permissions of the account, like access to certain content.
2b. P₁ may be chosen arbitrarily.
2c. P₂ is a unique user ID.
2d. P₃ contains the last 32 bits of S
3. Concatenate P_0-3 to yield P.
4. Encrypt P using Rijndael (Blocksize 128 bits, Keysize 256 bits) using S as the key yielding K.
5. K is the product key.

Verification:

1. Decrypt K using Rijndael with S as the key yielding P
2. Seperate P into P_0-3
3. Compare P₃ to the last 32 bits of S. If they don't match, reject the key.
3. Compare P₂ to the user's ID. If they don't match, reject the key.
4. Accept the key and set permissions according to P₀

mov word [loc_of_jmp], 9090h

You can't even correctly spell separate, how could you possibly think that you could design a key validation system?

Looks fine to me, but you realize that it's ultimately useless because unless you need to do this every time you try to access a online service, it's easily crackable, right?

This system doesn't provide any authentication. All you'd need to do is find a single key (which can be obtained with a single legitimate purchase) and your system is worthless.
Unless you only allow one install per key, in which case the cure is worse than the disease.

Randomly adding encryption to a system doesn't automatically make it secure.

MD5 the product name

MD5 the MD5 50 times

PROFIT

>>5
The key will be issued for a specific user ID and should only be usable with this one ID. It is checked in step 3.

>>6
No, use this expert encryption function for maximum power.

http://pt.php.net/manual/en/function.md5.php#85116

>>7
If you're already having people sign up for a user account on some central database, why the fuck bother with verifying the software install? Verify the fucking user account.

>>9
Because I could offer the service with basic functionality for free and let the users unlock additional features with a key.

Like getting the pics for free but having to pay for the videos.
Or whatever the online service may offer.

I agree with >>9 -- the Spore DRM, for example, is fucking retarded. You have to jump through a shitload of hoops to just run the fucking binary, and then you have to sign into the game using a username/password. If they had just locked off the online content to authenticated users only and made the binary itself free, it might have been more reasonable.

There is always a crack -- that's how the light gets in.

>>10
It's a stupid idea. DRM never works, and it won't work in this case. The people who are likely to use most of your bandwidth are also going to be the ones who have access to cracks.

>>13
Or those who can crack it themselves.

>>14
For some reason, several OS X applications have a isRegistered() function that returns a bool.

True story.

>>13
Or those who can crack it themselves.

>>13
Or those you can crack it themselves.

>>13
Or those who can READ SICP themselves.

Cracking:

1) Find verification step 1 code
2) Replace with a JMP to step 4 code with permissions set to 0xffffffffffffffff

>>1
All of the other criticisms aside, what's the point of generating a 256-bit integer and using a 256-bit key to produce a 128-bit product key?

>>20
To make it more secure? In any event, here's a small perl fragment which implements the OP's product key system. Currently, perl doesn't have any good Rijndael modules, so I had to settle for AES (same shit).
Usage: perl key.pl <binary string representing capabilities>
Eg. perl key.pl 10001101

$_="=]=>%-|{<-|}<&|`{";
tr~ -/:-@[-`{-}~`-{/" -~;
eval $_;

>>21
Neat. Now try do it in haskell.

>>21
To make it more secure?
Protip: when it's easier to bruteforce the result than it is the key, it's not ``more secure''. It's just wasted clock cycles.

Currently, perl doesn't have any good Rijndael modules, so I had to settle for AES
Ah, that explains it. You don't know shit about cryptography.

>Ah, that explains it. You don't know shit about cryptography.
Did you find anything wrong with the implementation?

>>24
Besides the fact that it's a tired old joke?

Currently, perl doesn't have any good Rijndael modules, so I had to settle for AES
I lol'd irl.

>>21,24 here.
After reading up on AES and Rijndael, I feel a bit silly now, please disregard my posts. I thought they were different.
Good thing this is 4chan, hahaha.

>>19
Wont' work unless you can execute code on the server.

>>28
Maybe I'm missing something here, but in your program wouldn't you have code which looks like:


get user key
send key to server
receive reply from server
if (key verified)
   proceed_as_normal()
else
   bad_key()

PROTIP: If Microsoft aren't able to make a crack-proof online activation scheme, some shlub from /prog/ has an extremely low likelihood of doing so.

>>30
The only competent programmer at Microsoft is Gates himself, and he hasn't written a line of code in fifteen years.

❝Using a simple three-line piece of code, Eller drew a round digital clock on the computer screen. It looked too plain. Using an instruction known as a flood-fill algorithm, he tried to fill in the background with colour, but it didn't work. Eller flipped through the manual, trying to figure out if he had done something wrong. He called his boss.

'Why isn't the flood-fill working, Greg?'

'Must be a bug in your code, Marlin.'

'No, I've already been over my code. There aren't any bugs.'

'Not in your code,' Whitten said. 'In the Basic code.'

'You mean we ship our Basic with bugs in it?' Eller asked, somewhat incredulously.

'That's right.' And with that, Whitten walked out of the room.

Slightly disgusted that he had just joined a company that was shipping defective software, Eller decided to take matters into his own hands, taking two weeks to hack out a new flood-fill algorithm.

Whitten was less than thrilled. The two weeks on the flood-fill were at the expense of the translator he was supposed to be writing. Undaunted, Eller set out to let others in on the flaw he had discovered and how he had fixed it. He even pulled in Chairman Gates, whose office was just down the hall.

'Bill, check this out,' Eller said, pointing to his computer screen.

'I mean ... who was the jerk who wrote this brain-dead piece of code?'

Gates stared at the screen.

'See, that's what I call a design flaw,' Eller said. 'Now check out my new version. Pretty cool, eh?'

Gates nodded, pushing his glasses up the bridge of his nose. Gates told Eller his program was nice, then turned and walked back to his office.

After Gates left, Whitten walked into Eller's office. He had heard the entire conversation.

'Do you know who wrote the original flood-fill algorithm?' he said, shaking his head.

'Ahhh, nope,' Eller replied. 'I don't believe I do.'

Whitten paused, rubbed his finger on his left temple, and shook his head again. 'Bill wrote it,' he said. 'Bill was the jerk who wrote this brain dead piece of code!'❞

>>31
And you know this because...?

>>33
he is Steve Ballmer

>>30
Microsoft can't do anything right. period.

DEVELOPPERS

DEVELO++ERS

Devepples

>>38
Dev-C++?

>>39
Code::Blocks?

>>40
Emacs?

>>41
YES!!!

>>42
The Sussman!

Lain.