Keygens, Protection, Encryption PanelRegistration Key Considerations

(SIC ‘2001)

Chris Thornton

Thornsoft Development, Inc.

chris@thornsoft.com

www.thornsoft.com/sic

Why use registration keys at all?

• They’re so convenient! Both for us, and for the customer. – No special URLS to remember– Easy to rebuild system after system rebuild.

• “Registered Version” can be traded anyway. Will be increasingly problematic with Napster/Wrapster/Gnutella, IRC, etc., technology. (OOPS! Last year’s slide!)

Anti-Cracking

• The crackers will still crack you. That’s just the way it is.

• But if a user has to sift through 5 old non-functional keygens or published crack keys, they may decide that $20 isn’t so much to ask after all!

• Goal: Make the “crack experience” less enjoyable for the crack users.

Techniques

• Sprinkling– Spread the checks into various places in the

program.

• Time Bombs

• Use “Message In A Bottle” technique

• Compression / Obfuscation

• And….

Partial Key Verification• Don’t give the cracker enough information to build

a complete key. – They can only build a keygen against what they see in the program. So, leave some of

the checks out, and add them back into future releases.

• Each release only checks part of the key (Details on next slide)

• Each release of your software requires crackers to make a new keygen.

• Users aren’t impacted, as their keys have all correct digits.

Example of obsolete keygen.

The Mechanics

• I use “If SampleKey = UserKey then Registered=True” algorithm. (standard stuff)

• To generate the SampleKey, first, I generate 10 “decoy” digits, from the user’s name. – Ex: for i := 0 to 9 do

RegKey[i] := (Ord(CleanString[i]) * 2) Mod 10;

• Then, in the positions that I’m actually checking, I overwrite the decoys with digits generated by the actual algorithm, leaving decoys in the unchecked digits.– Ex: RegKey[7] := ((Ord(CleanString[1])*3) -

Ord(CleanString[4])) Mod 10;

Mechanics (cont)• In the previous example, the middle 5 digits are not

checked. I don’t check the decoys.

• In the next release, I’ll add another digit, and take one more away. Forged keys can now be detected.

• Forged keys generate an error message, and invite the user to read more about the error at our web site. The target page logs their IP address, the name/key that was used, and the date/time.

• Future versions may not ask permission...

• But my customer’s keys, generated with all correct digits, will be just fine.

Reality Check• 3657 visits to my “naughty pirate” page during the past

month (June 17-July18 2001), or avg 121/day.

• Next version won’t ask permission after 3rd violation - it will just bring up the web page automatically.

• Next version will shut down completely after 5th illegal use.

• I am considering a more “friendly” message and page. (honey vs. stick)

• I am seriously considering using stronger encryption in ClipMate 6.