Hashing algorithm for shareware key generation/validation

**jasonf** · 18-06-2007, 10:42 PM

Does anyone know of a decent, hard to reverse algorithm for turning text into a key containing numbers and letters?.. Ideally, this algorithm will produce a key of about 12 chars long and have a good chance of producing a unique key.

I've considered MD5, but there appear to be lots of sources which claim to be able to obtain md5 encrypted passwords if they have the resulting hash.. While I'm not overly worried about this, I would like an algorithm which is fairly reverse-proof.

Failing that, is there a set of functions in FreePascal/Turbo Explorer for MD5? ie.e cross platform and ones I don't have to code myself

**technomage** · 18-06-2007, 10:49 PM

J

I have converted units for Turbo Powers Encryption units "LockBox". they work under Delphi and Free Pascal and include MD5, Blowfish, etc.

I also know that TP OnGuard was posted to Lazarus, that might also include what you are after.

D

**Robert Kosek** · 18-06-2007, 10:58 PM

Reverse proof isn't necessary. Here's what I recommend:

Use a "salt" that is hashed with your data. Hash multiple parts of unique data into the key. And then rehash the whole hash you just made plus your "salt" once more.

The best way to do this is take the order information, like name, email, and address, for your data and then embed your salt in the application. Then upon receiving the order information you can activate it on the server side, and then the user enters the key they receive. It's almost flawless since even if it can be reverse engineered you should have a callback to check the validity of the key.

Then you just do the callback and include specific system information, and collect other information on your site. Then you have a log. So if there are multiple simultaneous downloads/authentications ... you just nailed a pirate.

Edit:

As for the hashing, you can just use DCP. Or convert it to your own stuff. It has a ton of hashing algorithms, but a good one for your purpose is SHA1.

**dmantione** · 19-06-2007, 12:52 PM

Originally Posted by jasonf

I've considered MD5, but there appear to be lots of sources which claim to be able to obtain md5 encrypted passwords if they have the resulting hash.. While I'm not overly worried about this, I would like an algorithm which is fairly reverse-proof.

There are algorithms known which calculate an md5 hash in a minute. However, someone is able to reverse engineer that an md5 hash is being used might also be capable to modify your license checking code. I think the safest solution is to use asymetric cryptography; you then only build the public key in the program which then decrypts a license file encrypted with your private key. You are then reasonably sure nobody can create license files other than you. It doesn't protect you against program modifications though.

Originally Posted by jasonf

Failing that, is there a set of functions in FreePascal/Turbo Explorer for MD5? ie.e cross platform and ones I don't have to code myself

There is an md5 unit shipped with fpc, ready to use.

**captainproton** · 16-07-2007, 08:22 PM

I am a lazy programmer and I used the JEDI Serial thingy. I have made some changes to the source so that it is not the same as everyone else's.

I have in the past used Blowfish technology. The client when registering gives a number generated by the app based on hd serial and other unique stuff. That number is used to encrypt the serial key. If anything changes then the key is not decrypted and the software becomes demo again.

Software I wrote years ago used to sell thousands of copies and there were cracks all over the place. Then I started using moneypump (out of business now) and have never seen a crack or keygen for that version.

Craig

Thread: Hashing algorithm for shareware key generation/validation

Thread Tools

Display