Name: Anonymous 2008-09-21 11:59
I had an idea on how to create and validate product keys via
online activation. I wondered whether the EXPERT PROGRAMMERS of /prog/
could spot an obvious weakness in it.
Decription follows.
Generating the product key:
1. Generate a secure random 256-bit integer S.
2. Generate four 32-bit integers P0-3 with the following properties:
2a. P0 contains 32 flags indicating permissions of the account, like access to certain content.
2b. P1 may be chosen arbitrarily.
2c. P2 is a unique user ID.
2d. P3 contains the last 32 bits of S
3. Concatenate P0-3 to yield P.
4. Encrypt P using Rijndael (Blocksize 128 bits, Keysize 256 bits) using S as the key yielding K.
5. K is the product key.
Verification:
1. Decrypt K using Rijndael with S as the key yielding P
2. Seperate P into P0-3
3. Compare P3 to the last 32 bits of S. If they don't match, reject the key.
3. Compare P2 to the user's ID. If they don't match, reject the key.
4. Accept the key and set permissions according to P0
online activation. I wondered whether the EXPERT PROGRAMMERS of /prog/
could spot an obvious weakness in it.
Decription follows.
Generating the product key:
1. Generate a secure random 256-bit integer S.
2. Generate four 32-bit integers P0-3 with the following properties:
2a. P0 contains 32 flags indicating permissions of the account, like access to certain content.
2b. P1 may be chosen arbitrarily.
2c. P2 is a unique user ID.
2d. P3 contains the last 32 bits of S
3. Concatenate P0-3 to yield P.
4. Encrypt P using Rijndael (Blocksize 128 bits, Keysize 256 bits) using S as the key yielding K.
5. K is the product key.
Verification:
1. Decrypt K using Rijndael with S as the key yielding P
2. Seperate P into P0-3
3. Compare P3 to the last 32 bits of S. If they don't match, reject the key.
3. Compare P2 to the user's ID. If they don't match, reject the key.
4. Accept the key and set permissions according to P0